MS-DEFCON 3: Lots of caveats, but it’s time to get patched

Topic

New Reply

The January 2018 patches are now history. Thank heavens. I hesitate to say it, but it’s time to take proper precautions, and get the January patches i
[See the full post at: MS-DEFCON 3: Lots of caveats, but it’s time to get patched]

11 users thanked author for this post.

Pim, Lori, Elly, Heavenly, geekdom, JDeC, Tiernan, AJNorth, HiFlyer, Pepsiboy, WildBill

Reply | Quote

Replies

I can hold out until the details arrive in Computerworld. It was almost looking like another skipped month, IMO. Let’s hope the short month of February is uneventful.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

Agreed.

Let’s hope the full article deals with the different aspects as they may apply e.g. to AMD or Intel users.

Thanks to Woody in anticipation, and thanks also to those in the team who I’m sure he will have looked to for their thoughts in what I think we can all agree has been a nigh on impossible month to make sense of.

1 user thanked author for this post.

JDeC

Reply | Quote

No thanks i’m not going to install these  january patches that patch something that will unlikely ever  i bought a 6700k cpufor performance, i will not allow that to be compromised  for  imo a non-existent threat

1 user thanked author for this post.

FakeNinja

Reply | Quote

That’s a perfectly reasonable response, if you’re willing to accept the possibility that some major malware may appear before you get patched. At this point, nobody knows, but there are signs of a lot of effort being devoted to using Meltdown/Spectre vulnerabilities. And the bugs in the January patches are reasonably well know. For February… your guess is a good as mine.

1 user thanked author for this post.

AJNorth

Reply | Quote

THIRD BASE.

 

(BTW Boss, is it now time to give up on getting Email notifications via an Outlook.com address?  Tnx.)

Reply | Quote

That’s a bug in the AskWoody software. We’re working on it.

1 user thanked author for this post.

AJNorth

Reply | Quote

Mucho Garcia!

 

(When in trouble, when in doubt – run in circles, scream and shout.)

Reply | Quote

Wait a minute…..Woody – Are you saying that we don’t have to install January’s Updates if were unsure if it’ll effect our systems somehow? Even for those with Windows 10? We can pull off from January patches and just wait to install the February patches?

You mean we as users who have Win 7 and 10 can decide what is best for our computers? We don’t have to install January’s patches if we don’t want to due to all the chaos and gooey confusion we’ve faced with this and that?

Reply | Quote

As far as I know, the only major problem solved by the January patches is the Equation Editor vulnerability — and I talked about manually disabling that a month ago.

All of the other patches are speculative, at this point. If you think you’re lucky enough, go ahead and wait for February….

3 users thanked author for this post.

Elly, Noel Carboni, JDeC

Reply | Quote

Skipping, as I’m not sure what the actual performance hit will be on old hardware running 7. Going to get a test rig for linux distros in the next couple of weeks

Reply | Quote

Sometimes I’m not sure what is keeping me safe. I haven’t had any unwanted malware on my computer since Win98 which was my first computer ever (Had lots of fun reinstalling the OS several times as I moved along the learning curve)

Was it the diligent patching of my machine? Was it my antivirus ? Seems all I get is the odd false positive there. Is it because I use an adblocker? Is it because I use NoScript? Is it because I run everything exposed to the internet in Sandboixe? I also use HitmanProAlert but lately it just seems to complain about Sandboxie from time to time.

When it comes to patches how much are they contributing to your security ? They won’t talk to you the way an antivirus does.

Not dissing patches here, just wondering.

January was a fun month, neither of our machines Win7-32 and Win10-64 would get the security update through WU even though I tweaked AVs, made sure the right registry key was set, ran WU troubleshooter etc. I feel now like I’m resigned to manually downloading the security patches every month. But nor for long because Windows is getting kicked out of our house this year for good………. I’m tired of babysitting Redmond’s junk.

 

 

3 users thanked author for this post.

Steve, Noel Carboni, Cybertooth

Reply | Quote

Unlike Microsoft’s patch descriptions, your Computerworld article is definative, descriptive and helpful.

Thanks again Woody!

Let’s hope that February’s 2018 patches are like February 2017, namely W8.1 🙂

If debian is good enough for NASA...

2 users thanked author for this post.

AJNorth, Cascadian

Reply | Quote

One word of caution on Kevin Beaumont’s list of antivirus products’ readiness for the Spectre patches, linked in Woody’s ComputerWorld article – it was last updated January 11th, and isn’t complete (others have since updated).

3 users thanked author for this post.

OscarCP, MrBrian, woody

Reply | Quote

Say Woody which 1703 updates are safe when it comes to update for windows 10 1703 x64 system? there’s KB4023057 and KB4073543. Then there is update for windows 10 x64 system KB4056254. So I need to know which ones of those I need to install with the others. So which ones are safe to install even among the two 1703 windows 10 update I just told ya? I need to know those are the ones I’m concerned about.

 

Reply | Quote

See @abbodi86 information on those patches here.

1 user thanked author for this post.

woody

Reply | Quote

Ahhh~I see these sneaky devils try to install 1709. But yeah I am leaning toward NOT installing January’s Updates just to be safe.

Besides I don’t need anymore stress right now. I think my Lenovo can do without icky-gooey January patches for the month and get a fresh, clean updates from Feb updates once were at Defcon3.

Reply | Quote

I should’ve included that info in the Computerworld article….

Reply | Quote

So is it safe to install the win 10 flash player, cumulative AND monthly malware protector updates and ignore the win 10 1703 and system updates that hide the 1709 force update in some odd way?

I mean I am fine installing flash, cumulative and monthly malware and that way in a somewhat way my computer is safe and come february-it’ll have new system updates WITH NO HIDDEN 1709 FORCE updates to try to ruin my baby.

Reply | Quote

Yes.

Reply | Quote

Thank you PK. 🙂 Then I’ll install the flash player, cumulative and monthly malware protector. 🙂 I’ll do it tomorrow morning or tonight before bed. Pheww~THAT LIFTS A WHOLE LOT OFF MY shoulders PK I can’t thank you enough. 😀

 

Reply | Quote

Unsure about performing the patches as I’m not sure on the situation with AMD machines, considering earlier in January the Meltdown/Spectre patches were making it so they could not boot at all.

Honestly too afraid of the patch bricking my PC by making it unable to boot, I wouldn’t know how to fix that if it happened as I’m not as tech-savvy as other users on here if I had to run a Startup Repair sourced command line.

Reply | Quote

I haven’t heard of any AMD-specific problems with the latest patches, except Phenom II machines mentioned in the article.

Reply | Quote

Accidentally clicked the wrong button to reply to you so decided to just go ahead and register.

 

So my FX-Series should be fine?  If so which patch should I nab since it seems they revised them so many times, or is the AKB2000003 links the most up to date?

Reply | Quote

If you’re talking about manually installing security-only patches, yep, AKB 2000003 has the latest.

For most folks, Monthly Rollup should be fine.

1 user thanked author for this post.

JDeC

Reply | Quote

Alright, thanks.  And yeah ever since the GWX debacle, when I first discovered the site, I’ve been doing security only.  Running Windows 7 as well, was in a rush so I left out some details earlier lol.  I saw MrBrian’s post about using KB4073578 as the latest security patch, but I’m still uncertain so I may hold off until more info pops up on here for us AMD users.

Reply | Quote

I think I’ll skip January’s patches to be safe for me and my Windows 10 Lenovo Ideapad 320. I mean it’s been weeks, there has been chaos, confusion, re-releases, this and that-So it’s been a huge scare around the net.

Plus I don’t want to do anything I might regret and have to spend hours fixing the problem and get stressed out. So to save myself and my computer the trouble-I’m gonna skip January’s patches, relax at the Anime convention next week, keep the updates hidden including those of the February and install the February patches when there is the next defcon3.

I am skipping the January patch after reading the article Woody posted-I don’t want to deal with any gooeyness hidden in any of the updates.

Reply | Quote

IMPORTANT

For those of you who have Win10 1703:

If you find KB4023057, KB4073543, and/or KB4056254 in your January updates, please read @abbodi86 ‘s information on the patches before you install them.

1 user thanked author for this post.

woody

Reply | Quote

Okay PK-SO we shouldn’t install those updates then if it’ll cause the computer to force upgrade in some way to 1709. Then I SHALL Keep those hidden along with update to 1709 and install the Flash for Win 10, malware update, and cumulative.

Reply | Quote

PKCano:

Same question, but about Windows 7 (just in case, mine is Pro, SP1, x64; CPU is old Intel I-7 sandy bridge).

In particular, the safe (maybe, right now) KB numbers for: IE11 cumulative security only; Win 7 security only, and .Net.

Thanks.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

The above patches do not apply to WIn7 – only Win10 1703.

Please read @MrBrians comments in this thread about the Win7 security-only patches.

Reply | Quote

“As abbodi86 and I have mentioned elsewhere, KB4077561 can be considered the latest version of the Windows 8.1 Windows security-only update, and KB4073578 can be considered the latest version of the Windows 7 Windows security-only update.”

2 users thanked author for this post.

woody, AJNorth

Reply | Quote

Interestingly, the Belarc Advisor is showing all the Intel-based machines as being deficient in KB4056897. However, since none of the Windows boxes under my wing utilize AMD, I do not know whether Belarc would recommend KB4073578 for those that do (perhaps someone with an AMD processor can do that experiment and report back to us…).

1 user thanked author for this post.

SueW

Reply | Quote

Mr Brian said:
KB4073578 can be considered the latest version of the Windows 7 Windows security-only update.

1) Just to clarify wrt Win 7 … Did you mean the following patching route — ie. for those planning to install Jan 2018’s Security-Only Update ?

• Win 7 AMD users:  Should install KB 4073578 (instead of KB 4056897)
• Win 7 Intel users:  Should install KB 4056897 (original patch for both AMD & Intel CPUs)

Because you also previously said …

Mr Brian  (January 25, 2018 at 8:09 pm):
I didn’t install KB 4073578 because I don’t have an AMD processor.

Meanwhile, Microsoft’s KB article (below) indicates that AMD users who got boot-killed by KB 4056897 should install KB 4073578. I suppose Microsoft is assuming that affected AMD users are able to get into command prompt (eg. via OS install/repair disc) & uninstall KB 4056897 first, before installing KB 4073578 in order to get Jan 2018’s security fixes.

KB 4056897:  https://support.microsoft.com/en-us/help/4056897
Issue: Microsoft has reports of some customers on a small subset of older AMD processors getting into an unbootable state after installing this KB [4056897]. This issue is resolved in KB 4073578.

2) There are some (older ?) Intel CPU users who similarly got boot-killed by KB 4056897. So should such users also install the newer KB 4073578, even though the latter patch apparently applies only to AMD CPUs & only contains the fix based on updated AMD microcodes ?

3) As for KB 4056897 (original patch, meant for Intel CPUs), wasn’t this Security-Only Update created based on flawed microcodes supplied & subsequently withdrawn by Intel ? So by implication, should Intel users avoid installing Jan 2018’s security update KB 4056897 — & thus forgo the rest of security fixes contained within the same (non-cumulative) patch ?

Reply | Quote

(1) and (2): Please see https://www.askwoody.com/forums/topic/ms-defcon-3-lots-of-caveats-but-its-time-to-get-patched/#post-165156 and reply there if there are further questions.

(3): The January 2018 Windows updates don’t include microcode updates.

Reply | Quote

All this talk about skipping January updates has me curious.

If I’m Group B I can’t skip because the “security only” packages are not cumulative, correct?

Choices & independent thinking aside, the dilemma persists.  Having one more month until the next batch doesn’t seem like it will get me much except some slim hope that something gets revised in the interim.

Is there a serious warning from woody & crew to avoid skipping the January security only updates?  And what are the known advantages, if any?

 

Reply | Quote

See @MrBrian ‘s answer to this above #164935

3 users thanked author for this post.

woody, AJNorth, MrBrian

Reply | Quote

so for win7 b-group user on an old intel processor this months patches are

Jan 2018 KB 4056897
Jan 2018 (IE11) KB 4056568

and a recommended system image backup?

1 user thanked author for this post.

SueW

Reply | Quote

as i don’t have any amd hardware i don’t need amd fixes i assume?

and on windows 8.1 notebook: how do i find out if i need this 4077561 (release 1/24 for PIC/APIC stop errors)?

Reply | Quote

update to my question: on 8.1 notebook i skipped 4073576 but i installed 4056898 and 4077561. as 4077561 being the latest version, does it include 4073576?

for office 2010 there are two updates: 4011610, 4011611
for excel 2010 there is one update: 4011660
for word 2010 there is one update: 4011659
for outlook 2010 there is one update: 4011273

as i read about bugs in january office patches, which ones shoud i NOT install?

Reply | Quote

Please read @MrBrian ‘s comments about the security-only patches for Win8.1 in this tread.

Also, Woody;s ComputerWorld article, linked in the main blog, about the Office patches.

1 user thanked author for this post.

woody

Reply | Quote

as i’m not that good in english i installed all securtiy only patches for win 7: 4056897, 4073578 and ie11 4056568.

on 8.1 i leave out 4073576, as 4077561 being installed already and if i have right, 4077561 is a replacement update replacing 4056898 and 4073576. so 4073576 seems to be needless after 4077561 being installed already. if i have not read right… well, as i said, my english is not that good…

i also installed all office patches, malware removal tool and on 8.1 flash update.
i don’t have xp and i haven’t read anthing else regarding office 2010 patches…

of course NO optionals have been installed, also nothing .net related (optional).

Reply | Quote

after installing office updates, now there is .net security quality rollup availabe.
but as author of this article is not sure about .net, i will NOT install it unless anyone of you tells me to do so…

Reply | Quote

i forgot to mention: “important”, this new .net rollup is “important”.

Reply | Quote

Please read Woody’s advice on .NET patches in the ComputerWorld article linked in the main bolg.

Reply | Quote

okay, installing .net security quality rollup marked as “important”. i still do NOT install optional .net framework…

Reply | Quote

For Windows 7 and 8.1 users: If you’re in Group A, Windows Update might not offer you otherwise-applicable January 2018 updates for three reasons that have been mentioned already in other topics: antivirus compatibility, AMD processor issue, and PIC/APIC interrupt controller issue (Windows 8.1 only).

If you’re in Group B, you don’t have the Windows Update-provided update blacklisting for those three issues that Group A users have. Even if you install the latest January 2018 Windows security-only update replacements (KB4077561 for Windows 8.1, KB4073578 for Windows 7), you still may experience the antivirus compatibility issue, and this is also true for any future Windows security-only updates that include the Meltdown/Spectre fixes.

6 users thanked author for this post.

SueW, Elly, JDeC, AJNorth, woody, Cascadian

Reply | Quote

ANY CHANCE OF MACS IN YOUR FLEET, CAPTAIN WOODY?!

Ahoy Captain Woody!
Many thanks for keeping my beloved “Toshy” Win7 laptop safe for so long.
Happily harboured now offline for good and still going strong on Office 2007.

His replacement?
A classic MacBook Pro 2012 running El Capitan.
Office For Mac 2016 must have a “Special Team”!
Updates so far so good.
Mac OS Security Updates the same except…
Meltdown and Spectre!
Similar issues with Intel-based “fixes” on Macs too despite the usual Apple denial.

I still regularly check your excellent posts here and on Computer World and re-interpret them for Mac as best I can.
Your Pro Tips are great!
Especially on holding off on firmware and software security updates for Meltdown and Spectre that are useless or unnecessary.

So how about “Ask Woody On Macs”?
Bring light To The Dark Side Too, Captain!

Cheers!
Sainty
??⛵️??

Reply | Quote

My brain is totally wiped out just dealing with Windows!

If somebody would like to start issuing Mac/iOS patching recommendations, I’d be happy to host them. But for me, there ain’t enough hours in the day….

Reply | Quote

Believe me, Mac patching is not stressful.
I’ve never had a BSOD or failure to operate correctly afterward.

I can only watch the chaos that is Windows!!!

2 users thanked author for this post.

JDeC, AJNorth

Reply | Quote

Apple still believes in silly, outmoded concepts like testing patches before shipping them to the customers, presumably.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Cybertooth

Reply | Quote

I’m a tad confused on the AMD issue.

Woody, you mention above that you’re only aware of AMD issues now with Phenom II machines as mentioned in the article, but that article only mentions them in the context of a specific Windows 10 update. I wasn’t under the impression that the AMD issue was only specific to Windows 10, so is that in fact the case or else what do those of us with Phenom II machines running Windows 7 do?

I’ve thus far only installed (an hour ago) the MSRT and KB4056894 (monthly rollup) on my Intel Windows 7 machine (which has an AMD Radeon graphics card) – so far so good. The plan is to leave it for a day or two before installing the .Net Framework update if all is well, and then the Office 2010 updates if all is well thereafter. Only after that will I consider what to do with my other Windows 7 machine which has an AMD Phenom II processor (and Nvidia graphics card).

Reply | Quote

I believe the outstanding AMD problems have been solved. The only current problem I see is the one mentioned in the article.

1 user thanked author for this post.

Seff

Reply | Quote

I think I’m going to skip as well for win10 1607, both mine and my parents’, until tis time for installing February patches or if an imminent threat appears, whichever one comes first…thanks Woody and the gang here, as always!

Reply | Quote

Being in Windows 8.1 Group A (more or less), I’m downloading KB4077561 1st to fix the PIC/APIC bug. Then applying the Rollups for Win 8.1, .NET Framework, Flash Security Update (even though I’ve turned off Flash), & the MSRT (Malicious Software Removal Tool). Along with those, the .NET Framework for 4.7.1 (KB4033369). Though I don’t use Skype, thinking of applying the Skype for Desktop 7.3 update (KB2876229) to get caught up. Also applying Office updates for January.

Don’t need to download the .NET Framework WPF fixit tool (KB4074906), since that’s for Win 7 SP1 & Windows Server 2008 R2 SP1. Not downloading KB4078130, since haven’t applied Intel microcode that the KB bypasses for Spectre 2; my processor is Ivy Bridge [Pentium 2020M], which Intel says isn’t affected by Spectre 2. I never apply KB2976978 (“compatibility update” unless I finally upgrade to Win 10), KB3080149 (Telemetry), & KB4023307 (Silverlight). Before all that…

I will update Windows Defender, remove Win32/Spectre.A with it, run a full scan to make sure I’m clean, then get Macrum Reflect Free & do a full image backup.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

1 user thanked author for this post.

abbodi86

Reply | Quote

I’m also a little confused about installing (security only) KB4056897 or KB4073578. According to the Microsoft Support Page for KB4073578, this update is not a replacement for a previous released update. As stated in the article under, “Update Replacement information”. The article was last updated on Jan 19, 2018

1 user thanked author for this post.

JDeC

Reply | Quote

I have an AMD64, Athlon X2. I just now installed KB4073578, W7/64.

I am Group B. I use MSE and MBAM 3, both were current before I started the MSI installer.
– I stayed offline for the update.

It took a lot longer doing the system configuration than most updates, however that might be because it is a kernel update. Once the first round of configuration updates completed, I got the screen indicating that Windows was starting, then it started a second round of configuration. It took a while, but it completed successfully and I got the login screen. Trusted installer ran for about 40 minutes after that, then it completed.

I was concerned as the disk was thrashing and the system was at 100% most of the time – MSE and MBAM kept diving in while trusted installer tried to finish, after the system restart.

The system up and running just fine. No slowdown. As a test, I shut down completely and rebooted.
– All is well and the system is now supposedly protected from meltdown.

7 users thanked author for this post.

SueW, Elly, SkipH, MrBrian, jburk07, woody, Cascadian

Reply | Quote

What about the slowdowns? I really want to know if there’s a difference, especially now that Microsoft claims that “Windows 7/8.1 users will probably get the biggest slowdown” and given that the patch is hard to uninstall. Are there any good third party tests on this yet?

4 users thanked author for this post.

Pim, Elly, Noel Carboni, Cascadian

Reply | Quote

I have wondered if we are experiencing a First-party test right here on AskWoody. There are many variables involved in the repairs to a live environment, coinciding with updates applied, coinciding with massive public interaction on MSDefcon change day.

But while others had noted slowdown previously, I did not until today. And it is significant. All good things are truly worth waiting for.

Reply | Quote

Good question.

I’m not aware of any noticeable slowdowns with any of the latest patches. Of course, that’s based on personal machines. If you’re running an overloaded server, your mileage may well differ.

1 user thanked author for this post.

AJNorth

Reply | Quote

So, those not inclined not to trust January Patchmess in Group A could theoretically skip and wait for February patches meanwhile Group B have to patch regardless.

Are cracks in the patching framework are starting to appear?

If debian is good enough for NASA...

Reply | Quote

The problems surrounding Group B have only been getting more complicated for a while.

2 users thanked author for this post.

AJNorth, woody

Reply | Quote

That depends on how you look at it. Those in Group A will inevitably be blessed with January Patchmess in February anyway (monthly rollups are cumulative). Those in Group B can choose whether to patch now, or take their chances risking a Spectre/Meltdown infection just a little longer. It’s horses for courses, I guess.

Reply | Quote

Offering additional thanks on your writing style Woody. The complex can be made simple after all. I too was considering just letting JAN2018 go by without installing, then allowing FEB GroupA to do all the work. Decided to trust the Yellow3 you give, because of the doubt involved with predicting the future.

And thanks for the heads up you give NoLoki. My AV and chosen method does not match yours. But I think the differences will not prevent a similar delay. Your post allows me to relax when the same happens here.

Thanks to all involved, for the extra work this winter. Truly appreciated.

Reply | Quote

I am group A.
Is it safe to do the Group A January rollup patch via my windows update, or do I just sit tight?
I have never done a system image or a backup.  I have no idea of how to even go about it.

I have Microsoft Security Essentials
I use Chrome browser that was just updated to Version 64.

Dell Inspiron 660 (purchased in 2013) just replaced hard drive in November 2017 and had Windows 7 reloaded.
Windows 7 Home Premium 64 bit SP 1
Server 2008 R2 x64
Processor:  Intel i3-3240 (ivy bridge 3rd generation)
chipset Intel (R) 7 series/C216
chipset family SATA AHCI Controller -1 E02
After new hard drive installed went to Group A

 

I’m a bit nervous about applying January’s patch.

 

Reply | Quote

I installed the Rollup and the MSRT without any problem

2 users thanked author for this post.

dgreen, jburk07

Reply | Quote

For Group B advocates with Windows 7 concerned about which of the January security-only updates to apply, take a look at this site:

https://www.sevenforums.com/news/412466-kb4073578-update-fix-unbootable-state-amd-devices-windows-7-a.html

Basically, it is recommended there that you install KB 4056897 and KB 4073538 BUT ONLY restart your computer AFTER both updates have been installed. Do not restart after the first update, but only after both are installed. Apparently, this way the potential boot problem with 4056897 gets corrected before it happens.

3 users thanked author for this post.

SueW, Elly, JDeC

Reply | Quote

I would like to point out that the recommendation there is three weeks old.

MrBrian, today (see #16497)  recommends everyone with Windows 7  (Intel or AMD CPU)  installs KB4073578.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

2 users thanked author for this post.

Elly, JDeC

Reply | Quote

That appears to be an incorrect comment number, could you please clarify the thread it relates to? Is it the one in which MrBrian recommends that Windows 7 Group B users install KB4073578 as a replacement to the original January update? Microsoft say it isn’t a replacement for any other update. I’ve also seen it recommended that both updates are installed, and yet KB4073578 isn’t offered through WU to Group A users anyway. I think some clarification is needed here, not least for Group A Windows 7 AMD users whose current position is both precarious and unclear in my view – especially given that Woody’s article only lists an AMD Phenom II issue in relation to a specific version/update of Windows 10.

 

1 user thanked author for this post.

Steve D.

Reply | Quote

Group B should install KB4073578 only
Group A should install KB4057400 (preview rollup)

Microsoft general rule on metadata level is that non-security update do not replace security update, per se
but KB4073578 do contain and replace security-only components

3 users thanked author for this post.

JDeC, SueW, MrBrian

Reply | Quote

OK: So far I seem to get the idea that two (maybe) safe patch versions, for my Windows 7, x64, CPU Intel sandy bridge, are Windows Security Only and E11 Cumulative Security  number KB4073578 and KB4056568, respectively.

But what is(are) the KB(s) of the NET update(s) that is(are) OK to install now (assuming there are any (maybe) safe ones already)?

To anyone who knows the answer and lets me know what it is: Thanks!

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

JDeC

Reply | Quote

Woody’s ComputerWorld article has information on .NET

Reply | Quote

Not quite: a link there to another site that seems to have a link to the actual MS update, but then, on going there, I find myself in a site in what could be Arabic, so I get out of there. Then further searches get me to a MS English page for the update but with no “download” link on it. Instead, there is a recommendation to turn on Automatic Updates. Which means that then everything else out there will rush in and get installed as well.

So, given this entirely unfortunate situation, I am holding off installing anything with .net in it. And probably everyone else should follow suit, to be safe.

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I’ve no idea whether it’s safe to install, I haven’t tried yet on my Windows 7 machines, but the .Net Framework update I’m being offered as an Important update is KB405532. I’ve hidden KB4033342 which is an Optional update relating to .Net Framework 4.71 which I neither have nor want. I’ve also hidden the Optional  .Net Framework Preview KB4057270. These updates do tend to vary, however, according to which versions of .Net Framework you have installed, so “your mileage may vary” as they say!

Reply | Quote

I made performance tests before and after the update if anyone is interested.

https://www.askwoody.com/forums/topic/decrease-in-performance-after-meltdown-patch/

1 user thanked author for this post.

Elly

Reply | Quote

Performance test down here too and if you get the new beta 5.23.5 release of Sandboxie, it works.

https://forums.sandboxie.com/phpBB3/viewtopic.php?t=25114

1 user thanked author for this post.

Elly

Reply | Quote

Same here, peformance decrease and Sandboxie borked. Was this Meltdown patch part of the monthly rollup update ? If so, I think I just joined group W.

Reply | Quote

My performance was slightly down and I install new beta version of Sandboxie and it fixed that.

Reply | Quote

Two Questions. One, after reading various post about KB4033342 on Win 7 x64, should we install the .NET offline installer or just hide it and forget about it?

Two, Win 10 Pro 1703. I’m using wushowhide and feature updates delayed set to 365 and pause updates set to 35 days. As soon as I uncheck pause updates, it downloads and installs. Where do I get to pick and chose what to install and not install ? It installed both KB4023057 and KB4056254 as soon as I uncheck pause updates and I had no choice. None of the updates showed up in wushowhide when I ran it before updating.

Reply | Quote

“Unholy mess.”  This makes me want to forego 4055266.  There’s no real pressing issue for me.  Others might have the need, to each their own.

Win 8.1 (home & pro) Group B, W10/11 Avoider, Linux Dabbler

Reply | Quote

@OscarCP you should install KB4056897 it’s a security only update; KB4073578 it is not and it’s for AMD devices

for me  KB 4056897 and  KB 4056568 both installed Group B

Reply | Quote

Group B Win 7 64 bit

Seems okay so far (touch wood) and SFC /Scannow is clean, so hopefully Nadella’s Noobs haven’t broken anything critical.

Why is patching starting to feel like the Apollo 13 mission, flying round the dark side of the moon?

1 user thanked author for this post.

JDeC

Reply | Quote

Win7 Pro x64 on Zbook 17 Workstation. FWIW, Looked up and installed the January Security Only .Net patches for versions onboard. Do not have nor plan to install 4.7. (Wish those .Net Security Only KB’s could be listed for Group B!) Did a full image and file backup as recommended prior. KB4054176, etc.

Then installed Security Only, IE11 KB4056568; then installed KB4056897 separately; no AMD on this machine. Touch wood, everything still working. No clue about speed after patching. Seems unchanged but likely won’t know until I use DxO Pro 9 for photo/RAW image development which is processor-intensive. Will watch this site for more expert feedback! 😉

Have Office 2010 Home & Student on here. Will turn on WU tomorrow and hide the rollups. Will be offered Office updates I expect. Install those or ignore any???

Thanks!

3 users thanked author for this post.

SueW, AJNorth, MrBrian

Reply | Quote

My computer is Windows 7 Home Premium 64-bit SP1
AMD FX-6300 Six Core Processor, 4.0GB Ram, ATI Radeon 3000 Graphics.

I installed KB4056894 January 5 and have had no problems but I have hidden KB405532 which is listed as important and KB4033342 is listed as Recommended. I don’t need any problems, I know just enough techie stuff to get into a lot of trouble. Should I install or chicken out?

Reply | Quote

What about the Intel Management Engine flaw?  I believe this is different than Meltdown et al, but has been overshadowed since the news in late November.  Should the home user patch this or let it be?

https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

Reply | Quote

Is your machine VPro? There will be a sticker probably. If so, use the patch from your OEM. Did it on mine but IMO if yours isn’t VPro, you have less to worry about.

Reply | Quote

Sorry, didn’t read your link first. There IS a serious IME VPro vulnerability. Your link though references the WPA2 patch. If your OEM has one as mine did, yes, probably worthwhile. Not a techie myself but assume your router needs a patch too. For that, ask your ISP and/or your router OEM.

Reply | Quote

Plugged the holes.

Making backups.

Always keep a rescue disk and a system image.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

AJNorth wrote:

(When in trouble, when in doubt – run in circles, scream and shout.)

“Stand-in-place panic.”

–Patrick McManus

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

2 users thanked author for this post.

Elly, AJNorth

Reply | Quote

I have a couple of duplicate replies as it is taking a while for them to post. Don’t know if this is related to the latest updates or not.

Reply | Quote

You were caught in the sp*m filter – reposting just causes us more work, in this case (not always…) 😉

1 user thanked author for this post.

bobcat5536

Reply | Quote

woody wrote:

As you go through the steps, keep in mind that Microsoft, uh, forgot to honor the “Current Branch for Business” setting —

That was for a few weeks three months ago. Version 1709 has been “Current Branch for Business” (Semi-Annual Channel) for three weeks now.

Reply | Quote

“ProTip #3. Make a full system image backup before you install the January patches.
This month more than ever, there’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can re-install even if your machine refuses to boot.”

How do you restore a system image (e.g. Macrium) if your machine won’t boot?

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

You use the Macrium (or whatever image software you use) Rescue CD/USB. You did make it when you installed the software, didn’t you?

1 user thanked author for this post.

samak

Reply | Quote

Thanks. Yes, I did make a rescue USB. I just interpreted the “refuses to boot” phrase to mean that there was a possibility that you wouldn’t be able to boot to the USB either.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

This is a parenthetical comment to the backup advice:

• Make sure you make backups on a consistent basis — the whole banana including system images.
• Make sure you have a rescue disk — that is, a separate disk that will boot your computer if your computer hurls.
• Keep your rescue disk and backups accessible. Know where they are.
• Make sure you know how to use your backups. Someday you will have a computer emergency: your computer will hurl. Really. Guaranteed. Your backups will do you no good at all if you can’t find them and don’t know how to use them.

With the current software updates, it’s much more likely that you will need backups. Act now and avoid panic.

 

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

4 users thanked author for this post.

SueW, MrBrian, Elly, Cybertooth

Reply | Quote

? says:

KB4056897 works for an old Pentium 3.06 HT, no problem…

KB4056897 does not work for a first gen K8 AMD AthlonX2. locked up solid on re-boot. got out Windows 7 Repair Disk and did: DISM /image:D:\ /cleanup-image /revertpendingactions, reboot back into Windows desktop and run KB4073578. reboot to desktop

so much for January “updates!”

Reply | Quote

@MrBrian recommended to use KB4073578 as the Security-only update for Win7

Reply | Quote

? says:

Thank you, PKCano! i guess i get bleary-eyed at this late stage of windows 7 monthly updates.

 

Reply | Quote

I see a lot of confusion. I am going to share what I have done personally with my machines. All mine are Intel based.

As a prelim:
1. Update your Anti-virus to the latest version of the PROGRAM. Check to be sure the ALLOW Regkey is set.
2. Verify whether your CPU is Intel or AMD.
3. Backup your computer!!!!!
4. Rule: DO NOT CHECK ANYTHING THAT IS NOT CHECKED BY DEFAULT

The following are only my choices. Make the choices as applies to your case.

Win7.
I installed KB4056894 Monthly Rollup. If you have AMD and you feel unsure, download KB4073578 and install it manually first then the Rollup. See AKB2000003. EDIT: See @abbodi86 ‘s comment at #165285. Normally it is not recommended to install unchecked Preview patches, but in this case KB4057400 Preview probably contains the AMD fixes found in KB4073578.
I installed MSRT
I installed all the Office 2010 updates
I have .NET 4.7 on all machines. I did not install .NET 4.7.1 (unchecked).
My choice for .NET has always been the Rollups offered by WU.
For Group B – follow @MrBrian ‘s instructions.

Win8.1
I installed KB4056895 Monthly Rollup. If you have AMD and you feel unsure, download KB4073576 and install it manually first then the Rollup. I suspect the PIC/APIC problem will be fixed in the Feb Rollup. See AKB2000003. EDIT: See @abbodi86 ‘s comment at #165285. Normally it is not recommended to install unchecked Preview patches, but in this case KB4057401 Preview probably contains the fixes found in KB4073576 and KB4077561.
I installed the IE Flash update
I installed MSRT
I installed all the Office 2010 updates
I have .NET 4.7 on all machines. I did not install .NET 4.7.1 (unchecked).
My choice for .NET has always been the Rollups offered by WU.
For Group B – follow @MrBrian ‘s instructions.

Win10 1703
Using wushowhide I hid KB4023057, KB4073543, and KB4056254
I installed CU KB4057144 Build 15063.877
I installed all the other non-driver patches.

Win10 1709
I have KB4056892 Build 16299.192 installed.
I was not offered KB4058258 Build 16299.214 through WU and I did not try to manually install it. It seems to have an installation problem as noted here.

EDIT 1/6/18 to add @abbodi86 ‘s comments

9 users thanked author for this post.

John, abbodi86, dgreen, woody, Elly, Sueska, AJNorth, Cayennejim, samak

Reply | Quote

Quick question.  Windows 10 1703  I run wushowhide on a regular basis and have never had it bring up a KB update. I get plenty of driver, printer and other stuff. I’m wondering if I’m not running something right. I always check the advanced box first and uncheck the fix option, but have never seen any KB’s.

Reply | Quote

They showed up on mine.

Sometimes it is best before updating to run Disk Cleanup\Cleanup System Files and cleanup Windows Update points before you start, reboot, then run wushowhide immediately after startup.

2 users thanked author for this post.

AJNorth, bobcat5536

Reply | Quote

Non-technie user here so I really appreciate all the guidance and advice from Woody, PK and everyone on here!  I recall reading about a rebooting problem for Win  7, 64-bit machines with Haswell processors (which I have) after application of the January patches.  Has this issue been resolved?

Reply | Quote

I think most of the problems with the Intel processors were associated with the microcode firmware updates from Intel that were then dispensed by the OEM’s.

The boot problems with the Jan patches were mostly concerning machines with AMD processors and some AMD Radeon graphics cards

1 user thanked author for this post.

pulsar

Reply | Quote

Woody, I’d probably have mentioned the performance hits these patches cause as something to consider. Most folks probably won’t see the slowdowns in their daily work, and you may be advising for the masses, but make no mistake, the performance hits are there.

And there are STILL very few people who have good, solid before/after measurements.

-Noel

1 user thanked author for this post.

AJNorth

Reply | Quote

No third-party benchmark software installed but did run Performance Information Windows Experience Index test from Win7 Control Panel. FWIW, scores didn’t change after installing KB4056897. No clue how indicative that might be…

Reply | Quote

I haven’t seen any validated slowdowns for “regular” users. Have you?

Reply | Quote

I have personally sensed a slowdown so far on the small Win 7 hardware system I run.

It’s a Haswell Pentium G3220, 2 core with 8 GB of RAM. A minimal, inexpensive system to say the least. But it never really felt slow to do things on the desktop until just the other day. I happened to log in when it was running a MSE malware scan – something that’s uncommon to be running when I’m logged in, but I’m sure I’ve done so before while a scan is running. I’ve logged in during scans a number of times just to learn why the disk light was active.

This time – post January Windows patches, but no microcode changes – the desktop was almost unusably slow – QUITE noticeable. I found myself waiting several seconds for any application to start.

That’s the first time this system has felt slow to respond – ever – since I installed it in 2015. With a RAID array of SSDs and plenty of free resources, such a system should NEVER be noticeably sluggish.

Using an application that stresses the I/O subsystem I measured a repeatable 30%+ drop in the disk I/O throughput on this system, from an ability to move 1400 megabytes per second to/from the disks to 900 megabytes per second after the patches. I believe this is directly responsible for the sluggishness when doing a malware scan – which is of limited by I/O throughput.

So yes, I’ve now seen the performance degradation in real world usage myself, under just the conditions in which I’d expect to sense a problem with a reduction in operating system I/O performance – trying to do something while something else was using the system volume heavily. Pretty much since time began the thing that holds any computer system back from doing more work and being responsive is I/O latency and throughput limitations.

-Noel

2 users thanked author for this post.

Cascadian, AJNorth

Reply | Quote

Not receiving email conformation of registering for this site?

Reply | Quote

It is an ongoing problem with the website software.

1 user thanked author for this post.

AJNorth

Reply | Quote

If you checked your spam filter and it wasn’t there, either… then Woody usually tells people to e-mail him directly at woody@askwoody.com

 

Non-techy Win 10 Pro and Linux Mint experimenter

1 user thanked author for this post.

woody

Reply | Quote

My question, is it safe now to go ahead and download /install NetFramework4.7.1 (KB4033342) for win7 ?

Reply | Quote

KB4033342 is UNCHECKED in Windows Update.

Rule: DO NOT CHECK ANYTHING THAT IS NOT CHECKED BY DEFAULT

Reply | Quote

I propose doing the following regarding Windows updates this month:

For any manually-installed Windows update from January 2018 and later: If you use antivirus, you must ensure that the antivirus-related registry item was set by your antivirus before proceeding with manual installation

If you don’t use antivirus, set the antivirus-related registry item, so that Windows Update won’t blacklist relevant updates.

Group A Windows 7:

If Windows Update offers KB4056894 then install it. If Windows Update doesn’t offer KB4056894, then if Windows Update offers KB4057400 then install it. If neither update is offered, then wait for the February 2018 Windows updates.

Group A Windows 8.1:

If Windows Update offers KB4056895 then install it. If Windows Update doesn’t offer KB4056895, then if Windows Update offers KB4057401 then install it. If neither update is offered, then wait for the February 2018 Windows updates.

Group B Windows 7:

Manually install KB4073578. Manually install KB4056568.

Group B Windows 8.1:

Manually install KB4077561. Manually install KB4056568.

12 users thanked author for this post.

Steve, SueW, PKCano, abbodi86, EricEWV, dgreen, woody, Elly, AJNorth, DrBonzo, pulsar, samak

Reply | Quote

How do you check your antivirus registry key to make sure it is correct?  A list on Microsoft shows that Norton has fixed the registry key.  I also uninstalled and reinstalled Norton to make sure I have the most recent updated software. 

But I don’t know how to check the registry key on my computer to make sure it is correct, although Norton representative tells me it is correct and that shouldn’t be the issue.

Reply | Quote

In Woodys’ ComputerWorld article he linked to THIS  post by OscarCP which shows you how you can check if Norton has set this key.

Reply | Quote

Thank you.  That article was very informative.  I checked by registry key and it is updated and correct, but I still cannot download update KB4056894!

Reply | Quote

You mean Windows Update doesn’t list KB4056894?

Try using the Windows Update Troubleshooter, as listed in the article, and see if that shakes anything loose.

Reply | Quote

Windows Update Does list KB4056894 on my computer, but during the install when it is down to the final with the screen showing percentage of Windows Configurating, the update fails to finish installing with a message FAILURE CONFIGURATING WINDOWS UPDATE – REVERTING CHANGES.  End result, KB4056894 is not installed.

Reply | Quote

Normally, it is recommended not to install unchecked Preview patches. But in this case, you might try what @abbodi86 suggests in #165285

Reply | Quote

Try the suggestions here:

https://answers.microsoft.com/en-us/windows/forum/windows_7-update/kb4056897-and-kb4056894-fail-to-install/e632fc38-fd77-47d9-9efb-aaf7f2080e5e?auth=1

Reply | Quote

Would you mind explaining your reasoning for pushing to non-AMD machines KB4073578? Installed the original KB4056897, which by now might have been revised anyway, on my Intel/Nvidia machine today, so far without issue. https://support.microsoft.com/en-us/help/4073578/unbootable-state-for-amd-devices-in-windows-7-sp1-windows-server-2008

Reply | Quote

“Would you mind explaining your reasoning for pushing to non-AMD machines KB4073578?”

It makes the instructions simpler :). If you have already installed KB4056897 and restarted your computer and had no issues, then I believe there’s no compelling reason to install KB4073578.

3 users thanked author for this post.

JDeC, SueW, woody

Reply | Quote

MrBrian,

Here are quotes from Microsoft on the support pages for each of the Windows security updates you recommend be installed rather than the ones originally issued:

“This update does not replace a previously released update.”

“To apply this update, you don’t have to make any changes to the registry.”

Both of these quotes seem inconsistent with the concept that the originals were superceded rather than supplemented. You are far more knowledgeable than I (and possibly Microsoft too!) but I wonder if it’s risky to ignore Microsoft’s descriptions of the updates. I wonder if there would be a downside to installing the original(s) and then the later one(s) you recommend, in sequence??

Reply | Quote

It’s true that the newer updates don’t metadata-supersede the security-only updates, but that’s probably because there are good reasons that a non-security update shouldn’t metadata-supersede a security update. Another question: So why didn’t Microsoft classify the newer updates as security updates? I would guess it’s because Microsoft doesn’t want users that installed the older updates and didn’t have issues to think that they had to install the newer updates.

2 users thanked author for this post.

Steve D., woody

Reply | Quote

In a sane world, I would think Microsoft would push out an Intel-specific patch and an AMD-specific patch at this stage seeing the major issues that can arise from the AMD machines, or just release an AMD-specific patch with all the relative fixes.  Something like “Security Update for Windows 7 on AMD” maybe.  But I think that’s asking for much with MS’s recent track record.

Reply | Quote

Support articles are generally generic

besides, if you take Microsoft word, you would not follow Woody’s defcon system 😀

1 user thanked author for this post.

PKCano

Reply | Quote

In @MrBrian’s post #164967 in this blog, where does he get his information from that KB4073578 can be installed instead of KB4056897 as the January 2018 security only update for Windows 7?  I am extremely nervous about this.  I can’t find any confirmation that the former is a replacement for the latter.

And, as has already been pointed out by others in this blog, the KB4073578 article states “This update does not replace a previously released update”.  And, furthermore, as has already been pointed out, it raises the question as to why didn’t Microsoft release a second version of KB4056897 to replace the first version instead of releasing KB4073578?  It is all very confusing.

As my PC has an Intel processor, unless I can find some convincing evidence to do otherwise, I am inclined to install only KB4056897.  Thinking ahead, would that then put my PC in a state in which I could not install the February 2018 security only update?

Reply | Quote

“In @mrbrian‘s post #164967 in this blog, where does he get his information from that KB4073578 can be installed instead of KB4056897 as the January 2018 security only update for Windows 7?”

It’s based on analysis of the contents of KB4056897 vs. KB4073578. If you’re sure that you don’t have an affected AMD CPU, then it’s fine to use KB4056897 instead.

5 users thanked author for this post.

JDeC, SueW, OscarCP, TonyC, woody

Reply | Quote

Yes, I suspected that was the way you did it.  I couldn’t find any explanation anywhere.  Microsoft’s documentation of these two updates and their relationship with one another is ambiguous and misleading.

Reply | Quote

I forgot to mention: In another topic I posted that as a test I installed KB4073578 on my Intel CPU, rebooted, and had no issues. (After a few minutes, I restored the backup that I had just made because I am in Group A.)

Reply | Quote

Yes, after this month’s problems, I’m now seriously considering switching to Group A. It is not so much Microsoft’s snooping that I object to but, in 2016, I was appalled by Microsoft’s attempt to upgrade my system to Windows 10 and to prepare my system for the upgrade. I don’t want that to happen again. I know that I am going to have to start using Windows 10 within the next year or two, but I will do it by performing a clean install of Windows 10 on a new PC.

Reply | Quote

I can’t believe its gotten to the point where one is now required to have a system image and a repair disc standing by to download WU.  Well, actually I can after last month. I’m on WIN 7 with an older AMD machine, group A, and will still be sitting this one out until a I see a green for the Feb updates.  I’ve also tried to register on this site twice with no luck.

Reply | Quote

An occasional problem in getting registration emails has been noticed in some cases. Your quickest solution is to email Woody your username (used in your attempt to register) and a password. If he can’t find the user name in the database, he has the tools to create it.

1 user thanked author for this post.

woody

Reply | Quote

OK, this is the situation with January’s Security Update, and it can be fun playing “Update Roulette” with your Win 7, x64, Intel 7 CPU PC (if possible, and old one of Sandy Bridge vintage, like mine).

First: the initial game lineup:

(1) MrBrian recommends the Security Update KB4073578 for Intel, AMD, etc.

(2) Anonymous and a few others are all for KB4056897  for Intel. Some of them are even saying things like: “I installed KB4056897 and everything was OK afterwards!” Or: “Do not install KB4073578, that one is for AMD!”

(3) Everyone seems to agree that KB4056568 is fine for E11, whatever the CPU may be.

(4) Nobody, at least the way I see it (and am nothing more than an imperfect, error-prone mortal), has the slightest idea of what to do about .net.

Now place your bets, ladies and gentlemen: Choose either (1) or (2). Don’t worry about (3), avoid having anything to do with (4).

Win: Nothing bad happens. Dull, but all right…

Loose: You’ll get a fancy doorstop and (if you are truly diligent), also an ISO disk image. Then you could place the disk on the doorstop, for an specially eye-catching effect. But you’ll be unable to visit Woody’s anymore, as you’ll no longer have what you’ll need to do that with. But it won’t matter, as you’ll never have to worry about updating Windows 7 again.

(Just kidding.)

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

2 users thanked author for this post.

Elly, Cybertooth

Reply | Quote

“(4) Nobody, at least the way I see it (and am nothing more than an imperfect, error-prone mortal), has the slightest idea of what to do about .net.”

I recommend: Install the .NET Framework updates that Windows Update ticks by default.

1 user thanked author for this post.

SueW

Reply | Quote

Had been installing the .Net rollups as well until a bug in image-rendering appeared in the rollup  a couple of months ago but not in the Security Only patches. Last thing I needed was to bork my RAW image developing and editing software. Been doing Security Only since, but it’s a pain.

Reply | Quote

Win7 intel pentium machine here. Thanks for the heads up. For us Win7 users, are there any major bugs that we should prepare for, like those in Win10?

Reply | Quote

First post on this site so please excuse me if I missed to read anything. I’m still reading up on the differences between Group A and Group B. Looks like I’m in Group A but I’m not a 100 percent certain yet. The DefCon system is very clear cut. I like it a lot.

On my Dell Notebook running Win8.1 and AMD Radeon, I installed:KB4077561 (Manually)and KB4073576(Manually) and The Security Only Update KB4056898 (Manually)

Via Windows update I installed: KB4057401 (Preview of Monthly Rollup) and KB4056895 (Monthly Rollup)

On my Dell Desktop running Win 8.1 and an Intel core I5 I Installed those same updates I listed except the KB4073576 update which is a listed fix for older AMD processors.

On Patch Tuesday last month on my Desktop and Notebook I installed the MSRT (KB890830) & The Adobe Flash Player update (KB4056887) and the Security and Quality Rollup for Microsoft.Net (KB4055266) Framework which in Hindsight I shouldn’t have installed at that time but fortunately I didn’t run into any problems. But I hid the other .Net Framwork updates and I don’t plan on installing them.

Besides the updates I listed, did I miss anything major to install from the January patches?

1 user thanked author for this post.

Elly

Reply | Quote

Hello Anonymous,

There are a number of anonymous posting… so if you want to be anonymous, and not register on the site (which is okay), I’d suggest that you pick a name of some kind to stick on your post, so that it is easier to follow any further questions and answers (like when another anonymous is answering your post, or asking a related, but different question… it happens).

I will say up front that I’m not a techy person, but I’ve been here for a while… and so would like to point out a few things… and maybe answer your questions…

First, unless you want to experiment, and you know how to fix your computer, don’t install anything with preview in its name… those are for the early adapters to try out! You said you already installed it… so here’s hoping there aren’t any problems in it for your machine…

Second, is if you are going the Group A route, and install the Monthly Quality and Security Update, you don’t need to install any Security only patches… they are included in the Monthly Quality and Security Update.

Installing the Monthly Quality and Security Update puts you in Group A, even if you were following security only updating (Group B) before that.

Did you follow each step (if Group A) at https://www.askwoody.com/forums/topic/2000004-how-to-apply-the-win7-and-8-1-monthly-rollups/? It is important to hide updates you are not installing, and then check for more, because some updates do not show up until all updates are installed or hidden.

Group A is the recommended and easiest way to update… but I find that Group B works just fine for me.

Also, although Woody says to turn off Windows Update, that is so you can control when to update. You can still click on it to run Windows Update, sort through the offered updates as recommended in the link above, and then install them. You don’t have to manually install them. I may have confused what you actually did, but this is an issue that a friend had problems understanding when I referred her here. She went to Microsoft and manually downloaded the Monthly Security and Quality Update, when it was already offered through Windows Update…

The most important part, in the end, is to have a safe and working computer… so, if you have that, you were successful!

 

Non-techy Win 10 Pro and Linux Mint experimenter

Reply | Quote

Not to add to the already formidable workload, but is the update to the procedure for a clean installation of WIN 7 (delineated into Groups A & B) still in the queue?  If memory serves, the most recent discussion was How would you install Win7 from scratch?  (2017.01.18), which should still provide the means to get the job done.

Reply | Quote

anonymous wrote:

Basically, it is recommended there that you install KB 4056897 and KB 4073538 BUT ONLY restart your computer AFTER both updates have been installed. Do not restart after the first update, but only after both are installed. Apparently, this way the potential boot problem with 4056897 gets corrected before it happens.

OK, silly question – how do you install both patches without a reboot in between?

I am Group B, Win 7 Pro, and have been trying to do this for months (that is, install the Win 7 security-only patch and the corresponding IE11 patch with just one reboot after both installed).  However, whenever I try to install the second patch after successfully completing the first (with a “restart required” message), I get another message saying something to the effect that “only one wusa process is allowed at a time” (forgotten the exact message).  This happens even if I Close the wusa screen rather than Restart.

I have just installed both of the January patches, same problem – had to reboot after the first one before it would let me run the second (both eventually installed successfully).  If there is a way to delay rebooting until after both patches are installed, it would save me a lot of time every month – it takes my old PC at least 10 minutes to complete a reboot cycle.

Dell Precision 3630 w/32 GB RAM, 500 GB (C:), 1 TB (D:)
Window 10 Pro x64
Internet: FTTC (Fibre to the Kerb)

Reply | Quote

KB 4056897 and KB 4073578 are the two alternative Win7 security-only updates. Neither is an IE update. I don’t think anyone was suggesting that you try to skip a mandated reboot in between a Win7 update and an IE update.

More importantly, though, I think it’s fair to say that the guru-consensus in this thread is that you should only install one of those two Win7 updates. 4056897 is apparently fine if you’re sure your CPU is Intel and not AMD. And MrBrian says 4073578 is fine for both Intel and AMD CPUs.

1 user thanked author for this post.

woody

Reply | Quote

A positive report on an uneventful update now complete.

CPU: Dual AMD C-50 (wikipedia cross-references this as Brazos Ontario, 40nm)
GPU: AMD Radeon HD 6250 (which should not matter, but including for completeness)
Win7sp1x64, Microsoft Security Essentials, QualityCompat registry key set

Following GroupA, allowing WU to make the appropriate choices.
Preselected (checked) two important updates:
2018-01 S&QR .NET Framework (all) Win7 & 2008 R2 x64 (KB4055532)
2018-01 SMQR Win7x64-based Systems (KB4056894)
and hid all others.

Download delivered in about 99MB total for both items, download and installation required between 50m and 1h, restart took less than 10m, displaying only one start cycle including the expected percentage progress display and appropriate warning against removing power. No second cycle was observed. Windows Update History showed the appropriate information, listing KB4055532 .NETrollup first, around 45m from start, then KB4056894 SMQR second, 9m later.

From curiosity, restored several usual suspects and allowed the new check for updates to review these items. All remained on offer, with same published dates and sizes previously seen, including KB2952664 still dated 14NOV2017.

Gibson Research’s InSpectre release #6b reports:
System is Meltdown protected: YES
System is Spectre protected: NO!
Performance: GOOD
And much more information as well; all as expected.

GroupA may allow some things that concern some people. But this system had the things that were likely to cause problems, and Windows Update provided the correct items without damage.

3 users thanked author for this post.

MrBrian, cesmart4125, AJNorth

Reply | Quote

Adobe Flash Player has been updated to version 28.0.0.161.

“A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.”

For those who do not have Adobe Flash Player set to auto-update in WIN 7, or third-party browsers in WIN 8.1 and WIN 10, it may be updated manually from the Control Panel – or downloaded using these direct links (Right-click; select Save Link As):

NPAPI:  https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player.exe

AX:  https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_ax.exe

PPAPI:  https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_ppapi.exe

Uninstaller:  http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe

 

Microsoft will make the update for IE 11 (WIN 8.1 & 10) and Edge available from Windows Update.

4 users thanked author for this post.

walker, cesmart4125, SueW, MrBrian

Reply | Quote

Thank You Elly.  That was very helpful.

From now on I definitely won’t install Preview Updates anymore.

I thought I needed both KB4056895 and KB4056898 to patch the Meltdown vulnerabilities which is why I installed both. So I take I don’t need to install anything from the January Patches?

Also I wasn’t offered any internet explorer update via WU last month. But I see some people are manually installing it.

1 user thanked author for this post.

Elly

Reply | Quote

Anon at #165423

The IE separate patches are not offered through WU, they are part of the Monthly Rollup.
If you do the security-only patches manually you need to also do the separate IE11 update manually.

3 users thanked author for this post.

walker, JDeC, Elly

Reply | Quote

just double asking for saftey:

on 8.1, if 4077561 being installed already, installation of 4073576 not necessary anymore?

Reply | Quote

See #165156

Reply | Quote

this post only says:

Group B Windows 8.1:

Manually install KB4077561. Manually install KB4056568.

so 4073576 not needed anymore?

Reply | Quote

You read the post correctly.

Reply | Quote

Bit the bullet and performed the update with KB4073578 as suggested by @mrbrian in #165156 ; it went quickly and with no noticable slowdown upon reboot and login.  Entire process took around or less than 5 minutes taking actual WUSA install time and the reboot installation with Windows Update itself registering a successful installation.  You have my gratitude for all the work you have done with this everyone.

Specs:

Windows 7 x64 Ultimate SP1

AMD FX-8320 3.50 GHz

Nvidia GeForce GTX 1060 (for complete specs sake)

1 user thanked author for this post.

MrBrian

Reply | Quote

Thanks @woody et al.

I am the Win7 SP1 x64 guy who had the Sandboxie problems after installing KB 4056897, so I will avoid it till that’s solved by Invincea.

Already updated KB 4056568 (IE) without problems, and will now go for KB 4055532 (.NET).

Be safe everyone.

Reply | Quote

Ok,

eventually decided to take the risk, based mainly on the assumption that either with inspectre or manually I can disable the meltdown and “supposedly” revert to the “previous” cpu performance.

My 2 cents…

Win7 x64, group B
Intel , dual xeon 52×0

1) would be nice to have a simple reliable way to quantify the speed loss
This said
2) TrustedInstaller, after these patches, is back to spiking at 20/25% … it was years since it messed up
3) DaemonTools got affected by the very first security patch. Saw some mention about updating a virtual driver, followed by a timeout on the very first restart. Subsequently ( next restart ) it tried to do something but effectively the 2nd virtual drive vanished
3rd restart, and the 2nd virtual drive shows in explorer, but NOT in daemontools.
4) The indexer is working a lot ( read it Lot with the uppercase ) more, on C drive.
I’m seeing 5 to 10 minutes of extra disk activity, compared to before.
SearchProtocolHost.exe runs more, definitely (2 instances).
lot of writes to
c:\programdata\microsoft\search\data\applications\windows\windows.edb
constantly
5) Sqlservr.exe (runtime only) shows quite a lot of activity while before it didn’t happen.
Sql server services are disabled (by me, long ago), except sql server VSS writer (not sure if it was started before the patches, or if it got started due to them)

Reply | Quote

For third-party software, in several cases, installing the latest version has corrected the problems experienced after the latest round of patching. That has included the latest version of the anti-virus as well as other applications.

Reply | Quote

Taking note, but seems the thing is a bit weird on this side.
The 2nd virtual unit is present, but it got associated to a microsoft driver and identified as a real scsi unit on bus 0 id 0 lun 0.
Now, I do have a few controllers, raid included… but no optical units on them. Quite weird outcome of the update, I would say

TEXGV___JWXER8DYB_______1 scsi cdrom device

Reply | Quote

Typical discussion, lots of differing options not much in the way of specific guidance. Those clinging to Win7, 8.1, Win 1607 are on their own to make up their own minds as not too many can keep all the KB numbers straight for every version of Windows.

For Win10 1703 the summary as I understand it.

1) The only major bug squashed in January is the “Equation Editor” issue

2) The changes that bring about a CPU slow-down addressing Specter/Meltdown have been removed for the Cumulative update currently available for January as well as in any updates to the bios/uefi.

So, if what I stated above is the case, I may well install the Jan. Cumulative Update, and the three pending (3 on my system) WaasMedic & accompaning Windows New Version preparation files. I do not expect to be installing Win10 18XX until 17XX is no longer supported or I upgrade my cpu & motherboard to one that isn’t from the stone age.

Unfortunately, I do not live in the industrialized world and for now, a new computer is completely out of the question due to cost and the fact that I would never be able to get it shipped to the 3rd world without it growing legs and walking off into the sunset.

At present, I’m reading what I can find and from that am preparing to hit the update button on the assumption that there will be no cpu impact due to Specter/Meltdown patching. If that is not the case, then I definitely do not wish to install Jan. updates or probably anymore going forward until either the class actions against intel get me a new cpu (Ha!) or I get my hands on a CPU with the specter/meltdown vulnerabilities corrected on the cpu itself.

 

Reply | Quote

Woody,

I have 2 Win 7×64 PC’s (circa 2010) with Intel I5-650 CPU’s; 1 built Desktop & 1 Toshiba Laptop (Win7 OEM install).

I’m a regular Cloner & Imager so I have Cloned my Laptop (my ‘guinea pig’ test PC) prior to installing the Jan Rollup (WU not yet installed).

My question is about the Win 7 Jan Monthly Rollup as it relates to any built-in Firmware updates which I don’t want installed on my PC’s.

Can I install the default Jan Monthly Rollup without any Firmware Updates?  Does the Rollup now include any Firmware updates?

The concern I have is if the Jan Rollup includes the “Spectre” Firmaware updates, my Clone (or full Image) HDD backups won’t help me rollback my Laptop PC if BIOS/Firmware updates were included in the Jan Rollup Update.  Is that correct?

Reply | Quote

The Jan patches do not contain firmware updates. Those come from the Computer OEM or the chip OEM.

1 user thanked author for this post.

Scoop

Reply | Quote

PKCano

Thanks for the info 🙂

Reply | Quote

Updating windows 7 (group b) for security only and net security only is causing more problems that result in users spending hours trying to figure out or fixing the patches! I dislike spending more time on windows operating system than I use the computer for!

My android tablet proves to be more enjoyable and much easier to manage.

I have always enjoyed keeping my computer efficient, safe and enjoyable.

my question: looks like installing 4056897 and 4055269 results in more problems than fixing any security issues, am I correct?

Reply | Quote

See @MrBrian ‘s recommendations at #165158

Reply | Quote

Reply to # 165320;

Well, it took me 20 mins. this morning, while I burnt the toast. But then I was prepared (patches downloaded and waiting) and took a no-frills approach (if you don’t really need it, don’t install it). Not exactly hours!

2 users thanked author for this post.

SkipH, SueW

Reply | Quote

Possible bug report post patches installation :
Outlook 2010 went unresponsive once when trying to open an email with inside lets say ads ( official from my phone provider ), killed the process after letting it stay at 25% for 10 minutes.

It tried to lock up a 2nd time (on a different, simple email), subsequently, but it resumed after 30/40 seconds

Reply | Quote

See https://www.askwoody.com/2018/report-of-a-bug-in-januarys-outlook-2010-patch/

Reply | Quote

@Elly Regarding the anonymous issue: I am a registered Patron, but prefer to comment anonymously most of the time when I reveal the set up etc. of my particular Win 7 SP1 x64 / Intel i4 system in order to get the right advice of the gurus here. I rather keep info like that low profile. (Welcome to my world of paranoia.)

@MrBrian I read all your and most of other’s comments about the updates, so also about KB 4073578. (I had to uninstall and do a system restore after KB 4056897 messed up third party software.)
If I understand correctly, KB 4073578 was meant for AMD systems and not for Intel. However, there seems to be no harm in installing KB 4073578 on a Intel system.

But what I don’t understand: What is/would be the benefit of installing this update on a Intel system?? Thanks in advance.

1 user thanked author for this post.

Elly

Reply | Quote

anonymous wrote:

@mrbrian I read all your and most of other’s comments about the updates, so also about KB 4073578. (I had to uninstall and do a system restore after KB 4056897 messed up third party software.) If I understand correctly, KB 4073578 was meant for AMD systems and not for Intel. However, there seems to be no harm in installing KB 4073578 on a Intel system. But what I don’t understand: What is/would be the benefit of installing this update on a Intel system?? Thanks in advance.

updates are for all systems, regardless if they fix something for one of them

the benefit is to align patching recommendation 🙂

4 users thanked author for this post.

walker, MrBrian, JDeC, PKCano

Reply | Quote

I am absolutely not going to install the Meltdown Spectre patch. At this point I just don’t believe that there is a real threat. A potential 30% slowdown is not acceptable, and there is no indication that these holes are actually going to be useful ways of hacking into a personal computer. Someone might try to hack an un-patched server, but there isn’t enough of a reason to try and do this to someone’s PC.

If I hear that these exploits are actually working to attack regular people’s PCs then I will reconsider. But as of now, that patch stays unchecked.

4 users thanked author for this post.

AJNorth, HiFlyer, JDeC, Noel Carboni

Reply | Quote

LH wrote:

OK, silly question – how do you install both patches without a reboot in between? …. However, whenever I try to install the second patch after successfully completing the first (with a “restart required” message), I get another message saying something to the effect that “only one wusa process is allowed at a time”

Try installing the patches manually. When I do that, first I disable the network (unplug the ethernet cable) and then stop the Windows Update service (via services.msc) After the 1st patch is installed, I opt out of a reboot and then again stop the Windows Update service (otherwise it can take awhile before I’m asked if I want to install patch blah-blah-blah)

Works for me; Win 7 x 64 “Group B”

 

 

Reply | Quote

“If you do the security-only patches manually you need to also do the separate IE11 update manually.”

Pkcano So this explains what the people in Group B are doing?

 

Reply | Quote

You can read about Group B patching in AKB2000003 in our Knowledge Base.

Reply | Quote

Looks like I made it through that January patch minefield unscathed for now.  No noticeable slowdowns so far.

Reply | Quote

Wow, 112 MB (or 114 depending on how you look at it).  Must be some kinda record.

Win 8.1 (home & pro) Group B, W10/11 Avoider, Linux Dabbler

Reply | Quote

Don’t look now but Win 10 .msu files can be an order of magnitude larger than that.

-Noel

Reply | Quote

January patch KB4056894 applied and MSRT KB890830 applied 2/6/18 without any issues.

Dell Inspiron 660 (purchased in 2013) just replaced hard drive in November 2017 and had Windows 7 reloaded.
Windows 7 Home Premium 64 bit SP 1
Server 2008 R2 x64
Processor: Intel i3-3240 (ivy bridge 3rd generation)
chipset Intel (R) 7 series/C216
chipset family SATA AHCI Controller -1 E02

After new hard drive installed went to
Group A

2 users thanked author for this post.

jburk07, JDeC

Reply | Quote

If anyone has unanswered questions regarding my advice, please post at https://www.askwoody.com/forums/topic/a-quick-overview-of-january-patching-recommendations-for-windows/.

1 user thanked author for this post.

woody

Reply | Quote

RE: Win10 1703
Using wushowhide I hid KB4023057, KB4073543, and KB4056254
I installed CU KB4057144 Build 15063.877
I installed all the other non-driver patches.
————————————————————

What about KB4078130?

Reply | Quote

By way of personal update, my Intel Windows 7 x64 machine with AMD Radeon graphics card now has KB4056894 (monthly rollup), KB4055532 (.Net Framework update), 5 updates for Office 2010 and the MSRT all installed over the past couple of days and seemingly all running ok at the moment. I have also now been offered KB4011187 for Office 2010 but it’s unchecked and therefore left well alone for now.

That leaves me with the outstanding task of installing both KB4056894 and KB4055532 on my other machine which is an AMD Phenom II Windows 7 x64 machine with a Nvidia graphics card. That machine doesn’t have Office installed so the only other update for it which I have now installed ok is the MSRT.

Has any other Windows 7 user installed these updates on an AMD Phenom II machine, and if so with what results? I know Woody’s view is that the only outstanding problem with that processor is for certain Windows 10 users but that doesn’t make me any less apprehensive!

Reply | Quote

bjm wrote:

RE: Win10 1703
Using wushowhide I hid KB4023057, KB4073543, and KB4056254
I installed CU KB4057144 Build 15063.877
I installed all the other non-driver patches.
————————————————————

What about KB4078130?

That’s not an update, merely a tool to disable Specture mitigation
and it’s not available through Windows Update

2 users thanked author for this post.

bjm, woody

Reply | Quote

bjm wrote:

What about KB4078130?

KB4078130 is downloadable from the Catalog only and disables branch targeting vuln (CVE-2017-5715 Spectre variant 2). It is a workaround for those who have installed the defective Intel microcode. Microsoft says this about it.

While Intel tests, updates and deploys new microcode, we are making available an out-of-band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” In our testing, this update has been found to prevent the described behavior in devices that have affected microcode.

I have not installed the defective microcode and do not need this patch. It is not necessary for those who have not installed the microcode.

2 users thanked author for this post.

bjm, woody

Reply | Quote

PKCano wrote:

bjm wrote:

What about KB4078130?

KB4078130 is downloadable from the Catalog only and disables branch targeting vuln (CVE-2017-5715 Spectre variant 2). It is a workaround for those who have installed the defective Intel microcode. Microsoft says this about it.

While Intel tests, updates and deploys new microcode, we are making available an out-of-band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” In our testing, this update has been found to prevent the described behavior in devices that have affected microcode.

I have not installed the defective microcode and do not need this patch. It is not necessary for those who have not installed the microcode.

Hmm, I thought KB4057144 Build 15063.877 brings defective microcode.   How does defective microcode get installed?

Reply | Quote

Windows 7 intel Centrino vPro group B. Novice and grateful AskWoody reader. I have Avast antivirus. How can I make sure that the reg key is allowed? I have looked over my Avast options and don’t see any mention of this function.  Thanks!

Reply | Quote

abbodi86 wrote:

bjm wrote:

RE: Win10 1703 Using wushowhide I hid KB4023057, KB4073543, and KB4056254 I installed CU KB4057144 Build 15063.877 I installed all the other non-driver patches. ———————————————————— What about KB4078130?

That’s not an update, merely a tool to disable Specture mitigation and it’s not available through Windows Update

I pulled KB4078130 from Windows Update Catalog.

Reply | Quote

bjm wrote:

Hmm, I thought KB4057144 Build 15063.877 brings defective microcode. How does defective microcode get installed?

Microcode does not come from MS. It comes from the computer OEM or the chip OEM. It is a patch (code) applied to the CPU, not software to the Windows OS.

1 user thanked author for this post.

bjm

Reply | Quote

hjf wrote:

Windows 7 intel Centrino vPro group B. Novice and grateful AskWoody reader. I have Avast antivirus. How can I make sure that the reg key is allowed? I have looked over my Avast options and don’t see any mention of this function. Thanks!

Here are the instructions for finding the key

1 user thanked author for this post.

hjf

Reply | Quote

bjm wrote:

I pulled KB4078130 from Windows Update Catalog.

Windows Update = the OS internal update infrastructure

Microsoft Update Catalog = external web site to download updates manually

Reply | Quote

PKCano wrote:

bjm wrote:

Hmm, I thought KB4057144 Build 15063.877 brings defective microcode. How does defective microcode get installed?

Microcode does not come from MS. It comes from the computer OEM or the chip OEM. It is a patch (code) applied to the CPU, not software to the Windows OS.

Hmm, afaik I have not recently installed HP/Intel updates.   Guess, I’ll look to HP for info.  Thanks

Hmm, so KB4078130 is downloadable from the Microsoft Update Catalog…but, defective microcode does not come from MS.
head scratch  Thanks

Reply | Quote

bjm wrote:

Hmm, afaik I have not recently installed HP/Intel updates. Guess, I’ll look to HP for relevant info. Thanks

Advice – do not install any BIOS/microcode at this time. Things are messed up with the microcode at the moment.

3 users thanked author for this post.

Elly, BobbyB, bjm

Reply | Quote

hjf wrote:

Windows 7 intel Centrino vPro group B. Novice and grateful AskWoody reader. I have Avast antivirus. How can I make sure that the reg key is allowed? I have looked over my Avast options and don’t see any mention of this function. Thanks!

An alternative method for Windows 7 users is to see if Windows Update offers KB4057400.

Reply | Quote

abbodi86 wrote:

bjm wrote:

I pulled KB4078130 from Windows Update Catalog.

Windows Update = the OS internal update infrastructure Microsoft Update Catalog = external web site to download updates manually

I pull my Windows updates from Microsoft (Windows) Update Catalog.   Thanks

Reply | Quote

PKCano wrote:

bjm wrote:

Hmm, afaik I have not recently installed HP/Intel updates. Guess, I’ll look to HP for relevant info. Thanks

Advice – do not install any BIOS/microcode at this time. Things are messed up with the microcode at the moment.

Okay.  I hear ya’.    I thought AVs pushed a reg update to allow update from Microsoft/Windows related to Spectre-Meltdown.     Guess, I’m confused as to whats what.

Thanks

Reply | Quote

bjm wrote:

Okay. I hear ya’. I thought AVs pushed a reg update to allow update from Microsoft/Windows related to Spectre-Meltdown. Guess, I’m confused as to whats what.

Microsoft pushes updates to Windows OS for vulns related to Spectre-Meltdown.
The Hardware manufacturer pushes updates for the hardware (CPU) for vulns related to Spectre-Meltdown.
The AV‘s push a Registry change to allow MS updates

They are NOT the same thing.

1 user thanked author for this post.

bjm

Reply | Quote

PKCano wrote:

bjm wrote:

Okay. I hear ya’. I thought AVs pushed a reg update to allow update from Microsoft/Windows related to Spectre-Meltdown. Guess, I’m confused as to whats what.

Microsoft pushes updates to Windows OS for vulns related to Spectre-Meltdown. The Hardware manufacturer pushes updates for the hardware (CPU) for vulns related to Spectre-Meltdown. The AV‘s push a Registry change to allow MS updates They are NOT the same thing.

Granted, they’re not the same.   Okay, KB4078130 is related to hardware (HP/Intel) side even though KB4078130 came from software (Microsoft/OS) side.   And AVs reg push was related to software side.   Thanks again.

Reply | Quote

Many thanks to PKCano for the quick and useful response and the link to OscarCP’s utterly clear instructions–thanks also to OscarCP. I checked and all is well with reg edit. Onward to the next step, backing up.

Reply | Quote

hjf wrote:

Many thanks to PKCano for the quick and useful response and the link to OscarCP’s utterly clear instructions–thanks also to OscarCP.

Thanks, @hjf!  Those were actually my original “utterly clear” instructions that I posted back on January 6, 2018: https://www.askwoody.com/forums/topic/multiple-reports-of-blue-screens-bsods-0x000000c4-when-installing-the-january-win7-monthly-rollup-kb-4056894/page/7/#post-157000.  Unfortunately, they were neither quoted nor attributed in the more recent post . . .

Glad to hear that your reg edit is well!

Win 7 SP1 Home Premium 64-bit; Office 2010; Group B (SaS); Former 'Tech Weenie'

1 user thanked author for this post.

jburk07

Reply | Quote

RE: Win10 1703
Okay, I installed CU KB4057144 Build 15063.877
I’m curious what to do about KB4049011, KB4023057, KB4056254 that are WUshowhide hidden.

And also hidden is KB2538243 Security Update Visual C++ 2008 Redistributables (Microsoft Update Catalog reports Last Updated 4/5/2012).
My Apps lists several Visual C++ 2005, 2008, 2010 & 2012 with dates 2014, 2016 & 2018.
Any thoughts what I should do regarding KB2538243.

Thanks

Reply | Quote

bjm wrote:

’m curious what to do about KB4049011, KB4023057, KB4056254 that are WUshowhide hidden.

KB4049011 is the servicing stack you need it – the others stay hidden.
Update Visual C++

Reply | Quote

Pensioner Lady here…

I am using Avast free edition (which is up to date) and I note that on the ‘list’ it should be compatible for the Windows 7 January Rollup but I have only received the Net.framework KB4033342 and no monthly rollup.  Should I uninstall Avast in order to receive it?  I am non techie and set my updates to ‘never’ until DEFON 3 and am in group A

Reply | Quote

anonymous wrote:

I am using Avast free edition (which is up to date) and I note that on the ‘list’ it should be compatible for the Windows 7 January Rollup but I have only received the Net.framework KB4033342 and no monthly rollup. Should I uninstall Avast in order to receive it? I am non techie and set my updates to ‘never’ until DEFON 3 and am in group A

Right click on the icon in the right taskbar, chose update engine and definitions. In the box that pops up, click on update in the lower portion.
If you have an AMD processor you may still not get the update.

Reply | Quote

PKCano wrote:

bjm wrote:

’m curious what to do about KB4049011, KB4023057, KB4056254 that are WUshowhide hidden.

KB4049011 is the servicing stack you need it – the others stay hidden. Update Visual C++

Um, which vc file?  What’s ia64?  W10 x64 Home.

Reply | Quote

@bjm

Whichever one is available in Windows Update.

1 user thanked author for this post.

bjm

Reply | Quote

PKCano wrote:

@bjm Whichever one is available in Windows Update.

Yeah, I don’t run Windows Update if I don’t have to.   Okay.  Thanks

 

Reply | Quote

Pensioner Lady again….

Thank you PKCano.  I have followed your instructions and am informed that engine and definitions + program are all up to date.  My machine has a Celeron processor.

Reply | Quote

anonymous wrote:

Pensioner Lady again…. Thank you PKCano. I have followed your instructions and am informed that engine and definitions + program are all up to date. My machine has a Celeron processor.

Install Kb4057894

If Kb4057894 still won’t install.
Go to the optional updates. Check KB4057400, check OK at the bottom.
Go to the important updates. UNCHECK the Monthly Rollup KB4056894, click OK

Install KB4057400

Reply | Quote

PKCano wrote:

anonymous wrote:

Pensioner Lady again…. Thank you PKCano. I have followed your instructions and am informed that engine and definitions + program are all up to date. My machine has a Celeron processor.

Install Kb4057894 If Kb4057894 still won’t install. Go to the optional updates. Check KB4057400, check OK at the bottom. Go to the important updates. UNCHECK the Monthly Rollup KB4056894, click OK Install KB4057400

Isn’t Pensioner Lady’s point that as a Group A user she isn’t being offered any of the updates you’re referring to? That’s my interpretation of post #165821.

If that is the case then as a first step I would do a new search for Windows Updates (open WU from the program list and then look for updates) and see if any rollup is now offered.  If not, then I would wait until the February monthly rollup is released and keep an eye on the advice here including the DefCon ratings.

If not already done, it would also be worth following @SueW’s link in post #165760 to establish whether the registry key has been set to enable the monthly rollup to be installed. It may be that the rollup isn’t being offered through system incompatibility. Either way there’s no real harm in waiting a few days to see what is offered in the February update and for which purposes rather than setting WU to “Never” it could be set to “Notify but do not download or install” – that way it’s possible to see what is being made available and whether it’s checked or not.

Reply | Quote

@Woody:

MS Defcon 3:

This happened so fast that I’m hoping I’m not going to miss any “warnings”, etc.  It’s been so hectic that I know it’s going to be a nightmare trying to avoid the possible “bad patches”.   Is there a site that has “everything” on it for our MS Defcon3 information yet?  Thank you for getting the site more organized.    IMHO there are too many comments which do not add any information to share, rather that they are more about what is occurring with their own methods with their computers and everything takes up a lot of space and time for everyone to read.   Good Luck, and  hope the new method will help!   Thank you for all of your hard work!   🙂

2 users thanked author for this post.

Steve, Elly

Reply | Quote

walker wrote:

@woody: MS Defcon 3: … Thank you for getting the site more organized. IMHO there are too many comments which do not add any information to share, rather that they are more about what is occurring with their own methods with their computers and everything takes up a lot of space and time for everyone to read.

Walker, I know you addressed Da Boss; but as someone who did post a detailed description of hardware, process, and result, I felt I could respond with my motivation. The Outstanding Advice by all MVP’s here is clear, and uses specific language to make it apply to the widest range of cases possible. I hope you are able to find your correct course from their directions.

The most useful benefit here is for people who have questions. And the more specific they can describe their computer, the more accurate the answers will be. Another benefit comes from comparing successful reports that support the original advice. If the accurate description of my system helps another reader to recognize their own details, and so decide the advice is good; then I feel I have helped, even if they never write a comment.

If I have misunderstood the purpose of sharing results, both success and failure, then I apologize to you Walker, and others who have spent time on my non-question.

4 users thanked author for this post.

jburk07, walker, Bill C., SueW

Reply | Quote

@Paul:   I addressed the comments to Woody, although it’s really for all of us.  I welcome questions, and situations asking for help, and/or clarification.    We all learn from what we are having problems with.  No “dings” intended.  Your comments were well-taken, and understand exactly what you are referring to.    The exchange of information to help each other is beneficial to everyone, and in most instances the more data provided expedites the process.

I, like many others, am “computer illiterate”, so in some instances these exchanges go “right over my head”.  Thank you for your excellent comments, they are very much appreciated.    🙂

1 user thanked author for this post.

Cascadian

Reply | Quote

PKCano wrote:

hjf wrote:

Windows 7 intel Centrino vPro group B. Novice and grateful AskWoody reader. I have Avast antivirus. How can I make sure that the reg key is allowed? I have looked over my Avast options and don’t see any mention of this function. Thanks!

Here are the instructions for finding the key

Ok, I just rechecked my computer regarding the above instructions.
When I checked my computer when the instructions were first given, the results was I did have the “quality …” key there.
This morning, it is not there.
Other then on going updates of Microsoft Security Essentials definitions, and yesterday applying the January roll up patch and MSRT, oh and I did upgrade my Chrome browser to Vs 64 (2/2/18) that is all.
Is something wrong here?

Dell Inspiron 660 (purchased in 2013) just replaced hard drive in November 2017 and had Windows 7 reloaded.

Windows 7 Home Premium 64 bit SP 1

Server 2008 R2 x64

Processor:  Intel i3-3240 (ivy bridge 3rd generation)

chipset Intel (R) 7 series/C216

chipset family SATA AHCI Controller -1 E02

 

After new hard drive installed went to

Group A

 

Reply | Quote

dgreen wrote:

When I checked my computer when the instructions were first given, the results was I did have the “quality …” key there. This morning, it is not there. Other then on going updates of Microsoft Security Essentials definitions, and yesterday applying the January roll up patch and MSRT, oh and I did upgrade my Chrome browser to Vs 64 (2/2/18) that is all. Is something wrong here?

MSE is supposed to set the key. The only thing I can suggest is to update MSE then reboot and check again. You can manually set the key (at your own risk, of course) but MSE should be compatible.

1 user thanked author for this post.

dgreen

Reply | Quote

Well, I’ve something weird to report.
I installed january group B security patches on win 7 x64, 2 days ago. The cpu is a xeon E5205 ( 2 of them ), and there’s NO microcode offered ( and doubt it’ll ever happen ).
I have the pc under the SAME load daily, and weirdly I GAINED 10% cpu… I’m still very puzzled.

Major gain was on skype.. before was sitting at 25% , now at most goes to 21 but averages at 19%

Reply | Quote

PKCano wrote:

dgreen wrote:

When I checked my computer when the instructions were first given, the results was I did have the “quality …” key there. This morning, it is not there. Other then on going updates of Microsoft Security Essentials definitions, and yesterday applying the January roll up patch and MSRT, oh and I did upgrade my Chrome browser to Vs 64 (2/2/18) that is all. Is something wrong here?

MSE is supposed to set the key. The only thing I can suggest is to update MSE then reboot and check again. You can manually set the key (at your own risk, of course) but MSE should be compatible.

Ok, I finally found it.
Apparently the instructions was for Windows 10???
I found it searching
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat
and there it was!

Reply | Quote

Before anyone thinks they don’t have the registry key set, they should make sure they’re searching for “QualityCompat” (minus the quotation marks) as a single word. It’s too easy to think of it as two words but if you search for it as two words it won’t then be found.

2 users thanked author for this post.

Elly, PKCano

Reply | Quote

I have AVG free and an old version of MB pro (1.62.0.1300) working on my i5-750 machine with win 7 32 ultimate. Did the search for the key and found:

REG_SZ (valor no establecido)
cadca5fe-87d3-4b96-b7fb-a231484277cc
REG_DWORD 0x00000000 (0)

So I plan to install KB4055532, KB 4056568 and KB 4056898, all for 32 bit.
Question is if this procedure is right.

Thanks in advance, Mónica

Edit to remove HTML.
Please convert to plain text (.txt) before cut/paste

Reply | Quote

anonymous wrote:

I have AVG free and an old version of MB pro (1.62.0.1300) working on my i5-750 machine with win 7 32 ultimate. Did the search for the key and found: REG_SZ (valor no establecido) cadca5fe-87d3-4b96-b7fb-a231484277cc REG_DWORD 0x00000000 (0) So I plan to install KB4055532, KB 4056568 and KB 4056898, all for 32 bit. Question is if this procedure is right. Thanks in advance, Mónica

The information on the Registry key is here.
If it is present, for Win7 you should install KB4073578 (security-only), KB4056568 (IE11) and KB4055532 (.NET Rollup)

KB4056898 is for Win8.1

You can download from AKB2000003 on this site

2 users thanked author for this post.

Lori, SueW

Reply | Quote

Thanks so much, PKCano, Mónica

Reply | Quote

@PKCano:   Out of those listed I have only one in my pending updates, and that is  KB 4055532.   I do not have any of the others.   I am Win7 x64, Group A.  I think that is the only one that I would need (Security and Quality Rollup for .NET Framework (goes to 4.7.1) on Win7 and server2008 R2 for x64).  I think this would be the way to proceed with this KB (I hope).  Thank you for your guidance on this.

Reply | Quote

Pensioner Lady her again….

Thank you Seff. Your interpretation of my problem is correct.  I have 2 PCs and the one I was referring to is my laptop (running Windows 7 Home Edition and Avast AV free edition) which I use as a ‘test’ machine each time we get to DEFCON 3.  I have checked using regedit.exe and the registry key has not been set which is presumably why I am not getting the Monthly Rollup. I will follow your advice for which I thank you.

My second machine is a Lenovo desktop running Windows 7 Pro and Avira AV.  The registry key appears to be set for that so I am going to bite the bullet and try to install updates on this machine………..fingers crossed……

 

 

 

Reply | Quote

FWIW, I’m OK now but had to Image back to an hour earlier after Re-Start Stuck (gave-up after 30 min) on “About to install updates – Don’t Turn-off computer”. I had Inst’d All Chk’d Importants – EXCEPT –  .NET Rollup for 4.7.1.

Today I Inst’d in separate segments: (1) KB 4056894 W-7 Qual Rollup, then (2) [5] Office 2010 + MSRT, then (after Image Incr) (3) KB 4055532 Quality Rollup NET Frmwk 4.7.1.

(Jun ’12 Gateway – Best Buy) With Sandy Bridge = No Intel Help …  I presume I’m operating at a self-imposed risk, anyway, until I get a new computer. Good luck to All!

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / Macrium Pd vX / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU = 0

2 users thanked author for this post.

jburk07, SueW

Reply | Quote

walker wrote:

@paul: I addressed the comments to Woody, although it’s really for all of us. … No “dings” intended. … much appreciated.

I also assume public comments are for public reply, like an open letter. Glad you intended that way as well. No ding received. Only I felt the urge to explain a bit for you, in response. Cheers! Enjoy the day.

—

Fast edit to remove smiley from Quote box. It displayed in five inches (13cm) and I feared it would be taken as sarcasm not intended.

1 user thanked author for this post.

walker

Reply | Quote

anonymous wrote:

Pensioner Lady her again…. Thank you Seff. Your interpretation of my problem is correct. I have 2 PCs and the one I was referring to is my laptop (running Windows 7 Home Edition and Avast AV free edition) which I use as a ‘test’ machine each time we get to DEFCON 3. I have checked using regedit.exe and the registry key has not been set which is presumably why I am not getting the Monthly Rollup. I will follow your advice for which I thank you. My second machine is a Lenovo desktop running Windows 7 Pro and Avira AV. The registry key appears to be set for that so I am going to bite the bullet and try to install updates on this machine………..fingers crossed……

You’re welcome, and good luck!

I know the feeling, one of my desktops is an AMD Phenom II and they had problems with the January rollup so that it was first offered, then unchecked, then checked again. Today I too decided to bite the bullet and installed it – fortunately all is well thus far. Just the .Net Framework update to install in the next day or two (when there are problematic updates I prefer to keep them apart so that if anything happens I know which one caused it) and my January updating will be complete, my Intel machine having taken both those updates and the Office 2010 updates ok the other day (again, both machines are updated a couple of days apart in case of issues). The extra Office update that was offered yesterday is unchecked and will be reviewed as part of the February patches.

I owe so much to Microsoft, as a Pensioner Gent if I didn’t have their updates to worry about I don’t know how I’d fill my time! Oh wait, I already have less free time now before thinking about the updates than I had when I was working full-time!

1 user thanked author for this post.

jburk07

Reply | Quote

Hi. My OS is Windows 10 PRO 64-bit version 1703. Since we are at MS-DEFCON 3, I disabled the quality updates deferral group policy which was set to 30 days. WU installed all the January updates including cumulative update KB4056891 but I have not received KB4057144 yet. Thus my build remains at 15063.850 when 15063.877 has been available for weeks. I have tried rebooting, checking for updates many times. My antivirus is Windows Defender and the “QualityCompat” registry key exists. WU thinks that my device is up to date. My CPU is Intel. Is KB4057144 just for AMD systems by any chance? Is anyone else having this problem please?

Reply | Quote

anonymous wrote:

Hi. My OS is Windows 10 PRO 64-bit version 1703. Since we are at MS-DEFCON 3, I disabled the quality updates deferral group policy which was set to 30 days. WU installed all the January updates including cumulative update KB4056891 but I have not received KB4057144 yet. Thus my build remains at 15063.850 when 15063.877 has been available for weeks. I have tried rebooting, checking for updates many times. My antivirus is Windows Defender and the “QualityCompat” registry key exists. WU thinks that my device is up to date. My CPU is Intel. Is KB4057144 just for AMD systems by any chance? Is anyone else having this problem please?

I got KB4057144 on an Intel machine through WU for my Win10 1703.
Settings: Feature updates = 365, quality updates = 0, no pause
Group Policy: Windows Update = Notify download/install (2), Delivery Optimization Enable = 99 (HTTP, no peering, no DO)

Reply | Quote

Update from Pensioner Lady

Have installed KB4055532, KB4056894, and KB4033342 individually on my Lenovo Desktop (Windows 7 Pro and Avira AV) without any problems.

Will tackle my troublesome laptop updates over the weekend.

Thank you so much for the folks who take the trouble to answer questions on this site. As an ordinary (non techie) user but one who likes some control over what is being downloaded onto her machines, your help and advice is invaluable.

Reply | Quote

@Pensioner Lady:  Noted that you installed KB 4056894 with no problems on your desktop computer.  I had seen a few issues with some users,  however yours appeared to be successful.   I think the last comment about this KB was for your laptop only?

Reply | Quote

Pensioner Lady further update…

Tried again on my laptop but still no Rollup being offered. Uninstalled Avast AV and turned on Windows Defender … still no update offered and on checking regedit.exe still no ‘key’. Closed Defender and installed Avira AV and voila…. I now have updates…..

2 users thanked author for this post.

Cascadian, amraybt

Reply | Quote

anonymous wrote:

Pensioner Lady further update… Tried again on my laptop but still no Rollup being offered. Uninstalled Avast AV and turned on Windows Defender … still no update offered and on checking regedit.exe still no ‘key’. Closed Defender and installed Avira AV and voila…. I now have updates…..

The later version of Avira set the Registry key for you.

Reply | Quote

Walker – Pensioner Lady here

Yes – Lenovo Desktop was no problem.  I wasnt getting offered any monthly rollup for my laptop but was offered KB4056894  after changing AV from Avast to Avira (the new 2018 edition). The download and installation on both machines was fine.

 

 

Reply | Quote

BSOD’d  after KB4058258. An elder friend’s HP Notebook i3-7100U running Win 10 home x64 1709 (16299.192).

“inaccessible boot device”

Restore to pre-KB4058258 restore point (and then one older one) claims sucess, but still un-bootable.
Same update same day on his wife’s HP and my Dell, with no apparent problems.

Reply | Quote

G’day!  I seem to have survived yesterday’s Jan 2018 updates for Win7 (AMD desktop) & Win10 (Intel laptop) without incident.  What prompts me to write today is Woody’s observation for Win7 patches in his Feb 5 “snake oil” column (not the first appearance):

“…the privacy path’s getting more difficult. The old “Group B” – security patches only – isn’t dead, but it’s no longer within the grasp of typical Windows customers.”

Let me be clear:  I am not nitpicking.  I am, however, genuinely puzzled.  Follow…

Back in the day (1990’s) I was considered to be the “tech genius” in our small low-tech office, people frequently coming to me for help untying their computer knots more creatively than pitching a shoe at their screens.  I was the senior engineer, so no surprise there.  Not a computer or electrical engineer, mind you, but when there is a “P.E.” after your name, people expect you to know how to do everything from designing a bridge to fixing a malfunctioning vacuum cleaner or can opener.

I had acquired basic DOS literacy, so I was able to solve 90% of my colleagues’ problems, but I was embarrassed by the adulation which followed, repeatedly pointing out that “I just know 10% more than YOU do, which just makes me SEEM like a genius!”

That gets me back to Woody’s observation.  Especially in the Windows era, I consider myself a “typical” user – a Group B refusenik, yes, but otherwise typical.  It seems to me, Woody and his compadres ( @PKCano, @MrBrian and others) have made the Group B option ridiculously easy, reducing it to a strictly paint-by-numbers operation.  Another memory that comes to mind is the hall floors of the famous Oakland Induction Center (the gateway to the infamous Vietnam War when I walked them), which were densely painted with multi-color arrows leading hither and yon, so even the most mentally challenged among us could find their way to the next station in the induction process.

So, all I do is list my installed updates (Control Panel>Programs>Programs and Features>Installed Updates) to confirm I am up-to-date before I start, find the new updates in @PKCano’s AKB 2000003, follow the crystal-clear steps, and voilà – I’m done!

What’s so difficult about that??  I am getting that uneasy feeling one gets just before discovering that he is doing it all wrong, and missing some essential step!

If I am, I hope someone sets me straight pronto!

If not, then Woody’s estimation of the “typical Windows customer” is either excessively low – or mine is too high!  🙂

– Northwest Rick

Reply | Quote

Hello Northwest Rick,

I, too, am Group B… and I find it quite simple to follow… but I’ve been doing it since its inception, here at the Lounge.

Group B works well for people who want to avoid telemetry being added to their systems, or that need to avoid a particular patch that causes havoc on their Win 7 or Win 8.1 system.

There was some concern that a fix for a security update might be included in the non-security updates. I don’t remember now how that worked out, but I continued doing only the security updates and have had no problems.

Then there is an issue of having to either hide or install all available updates before certain (servicing stack?) updates are even offered through Windows Update… and every month you need to make sure everything is installed or hidden, and run Windows Update one more time, to see what shows up. MrBrian spent a lot of time testing and figuring it out. He made it relatively easy for us, but it was a lot of work for him.

Group B has to update IE separately, but Group A has it updated automatically. Yes, they provide the links, but it is one more thing that makes it more complicated, or that someone could forget to do.

It can be difficult for some people to understand that there was a particular time that the rollups started, and that they can’t just skip back and forth between the Monthly Quality and Security Rollups and the Security only updates and get the results that they are expecting. Once a Group B computer is updated with the Monthly Quality and Security Rollup, it is Group A. The reverse is not true. Microsoft made it confusing by having ‘Security’ in the name of both updates. Rollups are Group A… unless we are talking about .Net… See… it gets confusing to explain.

Then there are the people who come here recently, and like the idea of Group B updating, having stopped updating entirely for some time, or having regularly updated with the Rollups… It can be done/undone… but it is time consuming and every monthly security update has to be installed… and it is relatively easy to accidentally skip this or that and have less than a fully updated machine, and not even know it. There are 100’s of updates if you decide to do a clean install, and start back from scratch, and you don’t install certain updates to avoid the telemetry, so you have to pay attention… and all those KB numbers can make your head spin. So, it takes some commitment.

It is a lot easier to tell people to join Group A and  just install the latest cumulative rollup and be done with it.

That said, the MPVs do an outstanding job helping people find their way… even us, the more difficult to explain and support, Group B types.

Non-techy Win 10 Pro and Linux Mint experimenter

4 users thanked author for this post.

Bill C., SueW, Northwest Rick, MrBrian

Reply | Quote

G’day Elly,

Thanks for addressing my perplexity. You managed to be both thorough and brief, a balance I strive for myself, alas with mixed results. Though I realize that we live in an age of severely truncated attention spans, most things worth discussing simply cannot be reduced to a bumper sticker.

The important thing is, no one has so far told me: “RED ALERT! You skipped Step X!” I suspected much of what you have suggested, but I wanted to hear it from an independent source. Thank you for volunteering! 🙂

The problem with saying an option isn’t dead but becoming progressively more difficult is, it strongly implies an eventual demise. As is usually true, it isn’t that simple, no?

For those of us who are charter members since inception, and have faithfully kept our devices current according to that option, Group B seems to be internally sound and healthy. The only threat to its viability that I am aware of is external: if M$ stops offering complete security-only versions of monthly updates. So I would suggest, we should not be referring to it as “not dead”. It’s misleading. Those of us currently walking the planet aren’t dead either, and even though that may be our ultimate destination, most of us are focused on enjoying the vital and vibrant present, not morosely obsessed with the end game.

But as you rightly point out, Group B is a considerably more complicated option for Johnny- and Mary-come-latelies, including followers of Group W. If they stopped updating long before the inception of Group B, they would have to follow the installation sequence laid out and maintained in @PKCano’s AKB 2000003 step-by-step, in chronological sequence, cognizant of the fact that these are incremental, not cumulative, and cannot be skipped or omitted. Yes, that makes it more difficult, but neither impossible nor hopeless. If I were in that position, I would view it as an effort worth undertaking and roll up my sleeves, rather than moaning “woe is me!”

Similarly, if some members of Group A (formally or not) suddenly determine themselves to be on the “wrong” track (a subjective, not objective judgment), and decide to switch to Group B, that door is not closed either. As you also point out, they would have to uninstall rollups back to Group B inception, then do what is described in the previous paragraph.

I don’t know about you, but I have never been defeated by the mere difficulty of an undertaking I determined to be either worthwhile or essential (sometimes both). It’s a question of personal choice, not one of being thwarted by a daunting obstacle, no?

So, perhaps monthly Group B instructions should begin with something like this:

“The Group B option works well for those who have followed it since inception, but because manually processed security-only updates are not cumulative, and must be installed in chronological order, it is not possible to jump in at any time. Those considering switching to Group B must either have stopped updating before inception, or must first uninstall any rollups processed since inception.”

You are quite right that Woody’s team continues to provide yeoman service in the background. I have consistently acknowledged this in my periodic comments, even backed up my appreciation through periodic monetary contributions to askwoody.com. But I am pretty sure that references to degree-of-difficulty are warnings to end users, not attempts to generate sympathy for the team itself, who after all are professionals, no?

Thanks again for sharing your thoughts with me Elly. May fortune continue to smile on us in Group B. Cheers! 🙂

– Northwest Rick

Reply | Quote

Northwest Rick wrote:

So, all I do is list my installed updates (Control Panel>Programs>Programs and Features>Installed Updates) to confirm I am up-to-date before I start, find the new updates in @pkcano‘s AKB 2000003, follow the crystal-clear steps, and voilà – I’m done!

What’s so difficult about that?? I am getting that uneasy feeling one gets just before discovering that he is doing it all wrong, and missing some essential step!

There is specialized advice for the January 2018 updates.

1 user thanked author for this post.

Northwest Rick

Reply | Quote

All caveats have been observed.  Do you mean antivirus-compliant registry entry and chip maker awareness?  Confirmed those a month ago, when the Spectre/Meltdown issue first emerged.

Maintaining a current system image as a fall-back, not placing a check next to unchecked items, avoiding anything marked “Preview” and avoiding telemetry or driver-related updates?  Those have been standing guidelines for some time already.

Avoiding firmware patches was part of an alert from Woody (“Belay that order!”) weeks ago, (not that I needed it – my default position is “don’t do it before consensus develops!”)

Anything else?  Thanks!

BTW, Woody’s assessment regarding the “difficulty” of the Group B approach predates all of these complications, so remains a head-scratcher for me…

1 user thanked author for this post.

Elly

Reply | Quote

Northwest Rick wrote:

All caveats have been observed. Do you mean antivirus-compliant registry entry and chip maker awareness?

Yes, and for Windows 8.1 there is an additional “PIC and APIC interrupt controllers” issue.

2 users thanked author for this post.

Elly, Northwest Rick

Reply | Quote

Elly wrote:

It can be difficult for some people to understand that there was a particular time that the rollups started, and that they can’t just skip back and forth between the Monthly Quality and Security Rollups and the Security only updates and get the results that they are expecting. Once a Group B computer is updated with the Monthly Quality and Security Rollup, it is Group A. The reverse is not true.

There is no problem that I am aware of with switching from Group A to Group B. Windows monthly rollups can be uninstalled if they are no longer wanted.

2 users thanked author for this post.

walker, Northwest Rick

Reply | Quote

I wasn’t saying that you can’t switch back to Group B, only that as long as there are rollups installed, and you start installing the Security Only updates, you aren’t accomplishing what Group B is for… unless you are only trying to avoid a particular update going forward. The rollups install telemetry…

Non-techy Win 10 Pro and Linux Mint experimenter

Reply | Quote

Elly wrote:

The rollups install telemetry…

The Windows monthly rollups, as well as some other updates, install Diagnostics Tracking Service, but it’s KB2952664 (Win 7) and KB2976978 (Win 8.1) that are responsible for the telemetry that most here who are concerned about telemetry seem to care about. KB2952664 (at least in the older version(s) that I tested) does not need Diagnostics Tracking Service installed to send telemetry to Microsoft.

Reply | Quote

Does that mean the Diagnostics Tracking Service as installed by the rollups doesn’t send info back to Microsoft unless KB2952664 (Win 7) and KB2976978 (Win 8.1) are installed?

Non-techy Win 10 Pro and Linux Mint experimenter

Reply | Quote

Elly wrote:

Does that mean the Diagnostics Tracking Service as installed by the rollups doesn’t send info back to Microsoft unless KB2952664 (Win 7) and KB2976978 (Win 8.1) are installed?

Some third-party programs can use Diagnostics Tracking Service to send telemetry. If not participating in Windows Customer Experience Improvement Program, then I didn’t find evidence that anything else within Windows 7 sends telemetry via Diagnostics Tracking Service, except for a little bit by KB2952664; reference: https://www.askwoody.com/forums/topic/care-to-join-a-win7-snooping-test/#post-21467.

Here’s what I did regarding telemetry (Win 7):

1. Be in Group A.

2. Turn off Windows Customer Experience Improvement Program.

3. Don’t install KB2952664.

4. Don’t install KB3021917.

A topic that may be of interest: Care to join a Win7 snooping test?

 

3 users thanked author for this post.

abbodi86, woody, Elly

Reply | Quote

Northwest Rick wrote:

G’day! I seem to have survived yesterday’s Jan 2018 updates for Win7 (AMD desktop) & Win10 (Intel laptop) without incident. …
Let me be clear: I am not nitpicking. I am, however, genuinely puzzled. Follow…
What’s so difficult about that?? I am getting that uneasy feeling …
If not, then Woody’s estimation of the “typical Windows customer” is either excessively low – or mine is too high!

Glad it all went well for you, Rick. And I do believe you are doing it correctly. Many of the ‘difficult’ things flow right by you from familiarity.

But Woody writes his tips for both you and FamilyMan here, and many others besides. Needing to meet everyone’s needs might lead to generalizations. You have the experience and skill to perform the monthly task with no problem. FamilyMan may have just as much knowledge and skill, but lacks experience in the AskWoody jargon and presentation style. Others may not approach the same skill or comfort level.

The phrase that troubles you could be the phrase that gives these folks hope in the middle of a hopeless mess. They may be looking for the simple way to get this tedious process done and move on to life away from the silicon pile. It is good that you do not find it tedious. But I have seen fear in their eyes, and anguish in their voice disappear after reading Woody. He communicates in a way that I cannot. And I am glad that he has helped people recover sanity. Some are people that I only got from one month to the next, never succeeding to make them feel they could do it themselves. Now they do.

1 user thanked author for this post.

Northwest Rick

Reply | Quote

Hey Cascadian,

I do realize that a range of abilities is being addressed, but IMHO discussion about Group B has been unnecessarily pessimistic.  You may recall, Woody opened up a topic about the very viability of Group B a while back.  That did not leave me feeling warm and fuzzy!  When people start questioning whether something is viable, one starts looking to see if the undertaker is rolling up the driveway!

I have never had much affection for the Windows interface (I actually preferred DOS);  I have grown comfortable with Win 7, but I positively loathe Win 10.  So I haven’t given much thought to the inner workings of either one.  In that sense, though I may have a problem-solving nature and peripheral abilities, I too rely on advice I find here.

Group B seems to me to be a good response to relentless snooping by M$, one that appears to be working well, so I have trouble understanding why its drawbacks rather than its benefits continue to be emphasized.  I don’t see that to be a necessary element of addressing a broad audience.

For me, the fallback option is not Group A, but Group W.  If Group B is allowed to wither on the vine, I will be forced to shift to post Win 7 support mode sooner than expected.  I know that day is coming, I just don’t see why we have to rush it.

But hey, mine is just one opinion among many!  I don’t expect to win every battle, but I am not one to remain passive or silent when I sense the tide turning against my preferred outcome.  Cheers!

-NR

2 users thanked author for this post.

Elly, Cascadian

Reply | Quote

Hi Northwest Rick,

I hope I did not read as dismissive, I meant to add inclusion of others rather than diminish your opinion. I do remember Woody’s actively seeking opinions of his trusted readers on the utility of GroupB. And I think many voices were heard. That is specifically why Woody continues to acknowledge the option and link to the appropriate directions. If there was a battle for continuation of GroupB, consider it won not lost.

Similar to your personal story, I wanted to offer the story of three specific people that I rolled into one short line, because they are unlikely to share their own experience. I don’t throw the word guru around much, and I hope Woody’s not too humble to hear it. To the kind of person who’s eyes glaze over when I step them through while they move the cursor around, there is a relief that is visible when they read a guru say this is difficult stuff. It doesn’t matter if a mere mortal like me reassures them. Reading it on Computerworld and linking to AskWoody gives them the feeling that this is a website they can trust. Woody has a flair for expression that reaches these people.

I do use GroupA currently. And I do mean currently. When Microsoft sets something I do not want, I can wait until they convince me (MSDefcon), or opt for the pieces I do want (GroupB), while waiting for them to figure it out. At this current point, with my Win7, I am not convinced that GroupB excludes anything I have not already addressed through other means. Therefore I take advantage of the internal checklist available through Windows Update, and GroupA, when I choose to allow updates. I can switch to GroupB to protect my system from a future flaw when one becomes apparent. It will not suddenly revert me to OCT2016, but I do not expect or demand that.

I am happy that the GroupB method continues to be curated. If I need it it is there. Returning to your ocean waters, you are a strong swimmer, and should be able to hear the lifeguard advise the nervous paddlers about the strength of the surf because they need the reassurance. They like knowing someone is looking out for them. It gives them the courage to learn to become a stronger swimmer themselves.

1 user thanked author for this post.

Elly

Reply | Quote

Hi again Northwest Rick,

Staircase thoughts. They happen to me all the time. It is a separate point from my prior item, so commenting separately.

I realized I failed to address your very first line “I do realize that a range of abilities is being addressed…” There is an error there that can be dismissive to others, and they may not let you know. I am sure you do not intend it that way. And I hope I did not perpetuate it myself.

The choice to follow GroupA or GroupB might hinge on ability. But I believe there are people far more capable of making silicon sit up and bark while serving me a nice cup of coffee, and getting Jimmy out of the well. And they are choosing to use the GroupA method. I do not think it is lack of ability that drives their choice. Rather, a choice of comfort, expediency, or a knowledge based decision to receive the complete package on offer, because it meets their requirements.

Every system and user may have unique requirements. There may also be a significant amount of overlap. Cheers to you as well.

1 user thanked author for this post.

Elly

Reply | Quote

Read #164935

It says very clearly the answer to your question.

1 user thanked author for this post.

woody

Reply | Quote

It’s probably ok for everybody in Group B to use KB4073578 as your January 2018 Windows security-only update for Windows 7, and KB4077561 as your January 2018 Windows security-only update for Windows 8.1. Caveat #1: These updates have the Spectre/Meltdown fixes, so even these updates have the potential for serious compatibility issues with your antivirus software. Caveat #2, as is always the case with any update, it’s an open question if there are problems with these newer updates that the older updates don’t have.

6 users thanked author for this post.

Elly, Sueska, AJNorth, JDeC, woody, amraybt

Reply | Quote

Torture test? I can’t say I’ve been inconvenienced at all, largely thanks to the excellent advice I’ve picked up on this site. Just slightly mazed at the angst expressed by so many. But I do hide everything I don’t want to install – I understand from MrBrian that’s the only way forward if you’re in Group B – so my WU is very tidy. Rather a lot got hidden, this month.

3 users thanked author for this post.

SueW, John, Elly

Reply | Quote